mailing list archives
PowerFTP Personal FTP Server Multiple Vulnerabilities
From: Strumpf Noir Society <vuln-dev () labs secureance com>
Date: Mon, 11 Feb 2002 19:09:28 +0100
Strumpf Noir Society Advisories
! Public release !
-= PowerFTP Personal FTP Server Multiple Vulnerabilities =-
Release date: Monday, February 11, 2002
PowerFTP Personal FTP Server is a multithreaded FTP server
for the MS Windows OS by Cooolsoft.
The PowerFTPd is available from vendor Cooolsoft's website:
The PowerFTP server contains multiple vulnerabilities which could
provide an attacker with the capability to ennumerate a system's
structure, obtain read access to any file on the system and carry
out a denial of service attack against it.
PowerFTPd Information Disclosure Vulnerabilities
The PowerFTP server does not properly parse directory information
to a relative path. As such, executing a simple 'PWD' command on
the server will return the full system path of the current directory
to the user.
Also, FTP account information is stored unencrypted in the file
ftpserver.ini. Through either physical access to the machine or by
abusing one of the directory traversal attacks described below,
elevated privileges could be obtained on the system by retrieving
PowerFTPd Directory Traversal Vulnerabilities
The PowerFTP server fails to properly restrict access to files outside
of the user directory. By either requesting a direct path to a file or
directory ('DIR c:\') or by applying a variety of the "double dot"
notation ('DIR \..\*.*') an attacker is able to break out of the assigned
directory and read/obtain any file on any system drive.
PowerFTP Buffer Overflow Vulnerabilities
Due to a failure to check the length of any of the arguments passed
to the PowerFTP server with any of the standard FTP commands, an
attacker can execute a denial of service attack against the PowerFTP
server by sending a string of 2050 bytes or more to the target system.
Upon receipt, the server will start consuming 100% cpu resources and
will become unresponsive. A restart of the application is required to
regain full functionality.
On a side note, the PowerFTP client which is distributed with this
package is literally riddled with overflow conditions like this as
Vendor has been notified of these problems on January 12, 2002. We
have yet to receive a reply. Recently PowerFTP v2.10 was released,
which is advertised as safe and efficient on the product web site.
None of these issues were fixed in this release. After unsuccessfully
retrying to contact the vendor, this has prompted us to publicly
release this information.
This was tested against PowerFTP Personal FTP Server v2.03 and PowerFTP
Personal FTP Server v2.10 on Win2k.
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
- PowerFTP Personal FTP Server Multiple Vulnerabilities Strumpf Noir Society (Feb 13)