ID CVE-2001-1335 Type cve Reporter cve@mitre.org Modified 2008-09-10T19:10:00
Description
Directory traversal vulnerability in CesarFTP 0.98b and earlier allows remote authenticated users (such as anonymous) to read arbitrary files via a GET with a filename that contains a ...%5c (modified dot dot).
{"exploitdb": [{"lastseen": "2016-02-02T15:12:37", "bulletinFamily": "exploit", "description": "ACLogic CesarFTP 0.98 b Directory Traversal Vulnerability. CVE-2001-1335. Remote exploit for windows platform", "modified": "2001-05-27T00:00:00", "published": "2001-05-27T00:00:00", "id": "EDB-ID:20884", "href": "https://www.exploit-db.com/exploits/20884/", "type": "exploitdb", "title": "ACLogic CesarFTP 0.98b - Directory Traversal Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/2786/info\r\n\r\nCesarFTP is a freely available FTP Server for Microsoft Windows 9x/ME systems.\r\n\r\nCesarFTP on Windows 98/Me platforms contains a 'directory traversal' vulnerability.\r\n\r\nIf a user requests to change directories to \"...\" from within a mapped directory, they will change into the directory above the 'real' directory on the filesystem. At this point they can traverse the filesystem and will have read access to almost every file.\r\n\r\nA user must already have an account on the server to take advantage of this vulnerability.\r\n\r\nNote: This vulnerability only affects Windows 98/Me systems running CesarFTP. \r\n\r\nFirst, we need a directory where we have access to on\r\nthe victim host...\r\n(Or we can create one if we have enough rights)\r\n\r\nftp://127.0.0.1/\r\n\r\nmight give us a directory RESTRICTED/ for example\r\nnow we do :\r\n\r\nftp://127.0.0.1/RESTRICTED/...%5c/\r\n\r\nand we're out of the restricted subdirectory, we have\r\nread access to the whole harddrive ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/20884/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:04", "bulletinFamily": "software", "description": "## Vulnerability Description\nCesarFTP contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the GET command.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nCesarFTP contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the GET command.\n## Manual Testing Notes\nVisit a directory to which you have access.\n\nFor example, if the directory were named \"RESTRICTED\", entering the following would grant access to the victim's harddrive:\n\nftp://[victim]/RESTRICTED/...%5c/\n## References:\nSecurity Tracker: 1001624\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-05/0252.html\nKeyword: Directory Traversal\nISS X-Force ID: 6606\n[CVE-2001-1335](https://vulners.com/cve/CVE-2001-1335)\nBugtraq ID: 2786\n", "modified": "2001-05-28T00:00:00", "published": "2001-05-28T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8982", "id": "OSVDB:8982", "title": "CesarFTP GET Modified Triple Dot Arbitrary File Access", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2019-11-01T02:40:11", "bulletinFamily": "scanner", "description": "The remote FTP server allows users to browse the entire remote disk by\nissuing commands with traversal style characters. An attacker could\nexploit this flaw to gain access to arbitrary files.", "modified": "2019-11-02T00:00:00", "id": "FTP_TRAVERSAL.NASL", "href": "https://www.tenable.com/plugins/nessus/11112", "published": "2002-08-27T00:00:00", "title": "FTP Server Traversal Arbitrary File Access", "type": "nessus", "sourceData": "#TRUSTED a9cdc67592a422c769d2d0e11ea582b49df0af5594feb90b080d45064e69b5383185aa4d7073877c7b959d0cf4857accecdb89fed8bb7f3a68a3aee4954f5db0d24ba8f534c81f8ccc0868706e8a14c8db054233653b01d1478cede1ed4849cdcc70bd1c894386382b3200e723182758fa47d8b0af55537c2bb38c41ba5becdc213cd7baaff6d88fb1b1e6063e49038833421c5ef5ae647043370f510891420574a73bd9ab220318ed0b48823dcb6fb5094bcb7e41d766f6e6196ef1e0841886871705d843a75f8ac16e5891eea11ea837ef559c8749db40957c2990fe5abd28b0a7120121fc10710ebbf860c26675a164c678244e433739adc620c47f84bf57f365e2f93e6ba0c707839267017335c41f3887e98d8a0cf86f878d382ad544d1fe7745e7afe578aa6294f7822082272ff143415cebd8fca3894d8e60253aad2aec7ce259d72228d2b3291330d1d04fe04b9421d631b69310c9700ba424a15ca4036e0a71567e0290323251168ca53f64310b7d0cb3f0201228776171c232db56e67e80653d8bebec7eacf9e5a6361a510e96f2344cb711a16920d902f2a91c912342141d7a360c736bc6cccaf0052310320f20ecc2ea63cbd109d432d59f9d2da96e35eecf7ea2a7b2577b30d7ca67638ed2fc3f1e75fd5ef8104b8c762a7c9aff800c111cbf246d507c300e3b8b6e5a51785449c3629e83bef4d9dd127c276d\n###\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11112);\n script_version(\"1.60\");\n script_cvs_date(\"Date: 2019/02/26 4:50:08\");\n\n script_cve_id(\"CVE-2001-0582\", \"CVE-2001-0680\", \"CVE-2001-1335\", \"CVE-2004-1679\");\n script_bugtraq_id(11159, 2618, 2786, 38756, 44759, 5168);\n\n script_name(english:\"FTP Server Traversal Arbitrary File Access\");\n script_summary(english:\"Attempts to get the listing of the remote root dir.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is susceptible to a directory traversal attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote FTP server allows users to browse the entire remote disk by\nissuing commands with traversal style characters. An attacker could\nexploit this flaw to gain access to arbitrary files.\");\n # https://web.archive.org/web/20020227075045/http://archives.neohapsis.com/archives/bugtraq/2001-04/0231.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?83ccf5c4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2001/May/248\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Sep/119\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2001/May/35\");\n script_set_attribute(attribute:\"solution\", value:\"Contact your vendor for the latest version of the FTP software.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2001-0582\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/08/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2002-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\", \"ftp_anonymous.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"ftp/ncftpd\", \"ftp/msftpd\");\n script_require_keys(\"ftp/login\");\n script_require_ports(\"Services/ftp\", 21);\n\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"audit.inc\");\ninclude(\"ftp_func.inc\");\ninclude(\"global_settings.inc\");\n\nport = get_ftp_port(default: 21);\n\nfunction dir(loc, soc)\n{\n local_var ls, p, r, result, soc2;\n\n p = ftp_pasv(socket:soc);\n if(!p) exit(1, \"PASV command failed on port \"+port+\".\");\n soc2 = open_sock_tcp(p, transport:get_port_transport(port));\n if(!soc2)return NULL;\n\n #display(\"Ok\\n\");\n ls = 'LIST ' + string(loc) + '\\r\\n';\n send(socket:soc, data:ls);\n r = recv_line(socket:soc, length:4096);\n if(preg(pattern:\"^150 \", string:r))\n {\n result = ftp_recv_listing(socket:soc2);\n close(soc2);\n r = ftp_recv_line(socket:soc);\n return(result);\n }\n close(soc2);\n return NULL;\n}\n\n# Compares two directory listings (assumes the first provided is legit).\n# Returns TRUE if the lists are both valid and differ, FALSE otherwise\nfunction list_diff()\n{\n local_var a, b;\n a = _FCT_ANON_ARGS[0];\n b = _FCT_ANON_ARGS[1];\n\n return\n strlen(b) &&\n preg(pattern:\"[a-zA-Z0-9]\", string:b) &&\n ! match(string: b, pattern: \"*permission denied*\", icase: TRUE) &&\n ! match(string: b, pattern: \"*no such file or directory*\", icase: TRUE) &&\n ! match(string: b, pattern: \"*not found*\", icase: TRUE) &&\n ! match(string: b, pattern: \"*total 0*\", icase: TRUE) &&\n a != b;\n}\n\nuser = get_kb_item('ftp/login');\npass = get_kb_item('ftp/password');\n\nif (isnull(user))\n{\n if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n user = 'anonymous';\n}\nif (isnull(pass))\n{\n if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n pass = 'nessus@nessus.org';\n}\n\nsoc = ftp_open_and_authenticate( user:user, pass:pass, port:port );\nif(!soc)\n exit(1, \"Cannot authenticate on port \"+port+\".\");\n\n# Try to access the root directory using different paths, trying a\n# couple times for each path.\nl2 = NULL; l1 = NULL;\nforeach loc (make_list(\"/\", \"/*\"))\n{\n for (i = 0; i < 2 && !l2; i++)\n l2 = dir(loc:loc, soc:soc);\n if (!isnull(l2)) break;\n}\n\nif (isnull(l2))\n{\n ftp_close(socket:soc);\n exit(1, \"No answer for DIR / on port \"+port+\".\");\n}\n\n# Try to access the root directory again, using the same path that\n# worked last time.\nfor (i = 0; i < 2 && !l1; i++)\n l1 = dir(loc:loc, soc:soc);\n\n# Ensure that the FTP server is consistently giving us the same view\n# of the root directory.\nif (l1 != l2)\n{\n ftp_close(socket:soc);\n exit(1, \"Varying output for DIR / on port \"+port+\".\");\n}\n\n# If we know the OS the remote host is using, we can limit our\n# requests. Only do this when not paranoid.\ndirs = NULL;\nif (report_paranoia < 2)\n{\n os = get_kb_item(\"Host/OS\");\n if (!isnull(os))\n {\n if (\"Windows\" >< os)\n dirs = make_list(\"/windows\");\n else\n dirs = make_list(\"/etc\");\n }\n}\n\n# If we couldn't narrow down what to check, try everything.\nif (isnull(dirs))\n dirs = make_list(\"/etc\", \"/windows\");\n\n# These are the generic traversal strings. The booleans indicate\n# whether the traversal string is likely to get us back to the root\n# directory.\ngeneric = make_array(\n \"../../../../../../../\", TRUE,\n \"..\\..\\..\\..\\..\\..\\..\\\", TRUE,\n \"..%5c..%5c..%5c..%5c..%5c..%5c..%5c\", TRUE,\n \"\\..\\..\\..\\..\\..\\\", TRUE,\n \"...\", FALSE,\n \"/...\", FALSE,\n \"/......\", FALSE,\n \"\\...\", FALSE,\n \"...\\\", FALSE,\n \"..../\", FALSE,\n \"\\\", FALSE,\n \"/\", FALSE,\n \"..:/..:/..:/..:/..:/..:/..:/..:/\", TRUE,\n \"..:\\..:\\..:\\..:\\..:\\..:\\..:\\..:\\\", TRUE\n);\n\n# Transform the generic traversal strings to include directory names\n# for the traversal strings that might get us to the host's root\n# directory.\npatterns = make_list();\nforeach pattern (keys(generic))\n{\n patterns = make_list(patterns, pattern);\n\n if (!generic[pattern]) continue;\n\n foreach dir (dirs)\n {\n patterns = make_list(patterns, pattern + dir);\n }\n}\n\nvuln = FALSE;\n\nforeach pat (patterns)\n{\n # First try using the dir traversal directly in the LIST command\n l2 = dir(loc: pat, soc: soc);\n vuln = list_diff(l1, l2);\n\n # If that didn't work, try passing the directory traversal string to\n # CWD first, and then trying a LIST\n if (!vuln)\n {\n r = ftp_send_cmd(socket:soc, cmd:'CWD '+pat);\n\n if (preg(pattern:\"^250 \", string:r))\n {\n l2 = dir(loc:'', soc:soc);\n vuln = list_diff(l1, l2);\n cmd = 'CWD';\n }\n }\n else cmd = 'LIST';\n\n if (vuln && report_paranoia < 2)\n {\n # Recheck the initial directory to make sure the change in the\n # directory listing found with the attack isn't just a\n # coincidental change in the initial directory itself.\n l3 = dir(loc:loc, soc:soc);\n if (list_diff(l1, l3) && !list_diff(l3, l2)) vuln = FALSE;\n }\n\n if (vuln)\n {\n #display(l1, \"\\n****\\n\"); display(l2, \"\\n\");\n report =\n '\\nThe command we found to escape the chrooted environment is : ' +\n string(cmd) + ' ' + pat +\n '\\n' +\n '\\nThis directory contains :\\n\\n' + string(l2);\n security_warning(port:port, extra:report);\n ftp_close(socket: soc);\n exit(0);\n }\n}\nftp_close(socket: soc);\naudit(AUDIT_LISTEN_NOT_VULN, 'FTP Server', port);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-01T02:17:57", "bulletinFamily": "scanner", "description": "The remote host is running CesarFTP, an FTP server for Windows systems. \n\nThere are multiple flaws in this version of CesarFTP that could allow\nan attacker to execute arbitrary code on this host, or simply to\ndisable this server remotely.", "modified": "2019-11-02T00:00:00", "id": "CESARFTP_OVERFLOWS.NASL", "href": "https://www.tenable.com/plugins/nessus/11755", "published": "2003-06-18T00:00:00", "title": "CesarFTP Multiple Vulnerabilities (OF, File Access, more)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(11755);\n script_version (\"1.30\");\n\n script_cve_id(\"CVE-2001-0826\", \"CVE-2001-1335\", \"CVE-2001-1336\", \"CVE-2003-0329\", \"CVE-2004-0298\", \"CVE-2006-2961\");\n script_bugtraq_id(2785, 2786, 2972, 7946, 7950, 9666, 18586);\n \n script_name(english:\"CesarFTP Multiple Vulnerabilities (OF, File Access, more)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by multiple flaws.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running CesarFTP, an FTP server for Windows systems. \n\nThere are multiple flaws in this version of CesarFTP that could allow\nan attacker to execute arbitrary code on this host, or simply to\ndisable this server remotely.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2001/May/248\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9d02484f\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securiteam.com/exploits/5ZP0C0AIUA.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Remove the software as it has not been updated since 2002.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Cesar FTP 0.99g MKD Command Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/06/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/05/28\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"CesarFTP overflows\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FTP\");\n script_dependencie(\"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"ftp_func.inc\");\ninclude(\"global_settings.inc\");\n\n\nport = get_ftp_port(default: 21);\n\nbanner = get_ftp_banner(port:port);\nif (\n banner && \n egrep(pattern:\"^220 CesarFTP 0\\.([0-8]|9[0-8]|99[a-g])\", string:banner)\n)\n{\n security_hole(port);\n exit(0);\n}\n\n\n# Ferdy Riphagen pointed out that while the banne can be tweaked, the\n# help command can not be.\nif (thorough_tests)\n{\n soc = open_sock_tcp(port);\n if (soc) {\n ftp_send_cmd(socket:soc, cmd:\"HELP\");\n res = recv(socket:soc, length:1024);\n ftp_close(socket:soc);\n\n if (\n res && \n egrep(pattern:\"CesarFTP server 0\\.([0-8]|9[0-8]|99[a-g])\", string:res)\n ) security_hole(port);\n }\n}\nexit(0);\n\n#\n# The following code freezes the GUI, but does not\n# crash the FTP daemon\n# \n# send(socket:soc, data:'USER !@#$%^&*()_\\r\\n');\n# r = ftp_recv_line(socket:soc);\n# display(r);\n# send(socket:soc, data:'USER ' + crap(256) + '\\r\\n');\n# r = ftp_recv_line(socket:soc);\n# display(r);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
