CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
92.3%
The remote FTP server can be used to determine if a given
file exists on the remote host or not, by adding dot-dot-slashes in front of them.
# SPDX-FileCopyrightText: 2001 Michel Arboi
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.10933");
script_version("2023-12-20T05:05:58+0000");
script_tag(name:"last_modification", value:"2023-12-20 05:05:58 +0000 (Wed, 20 Dec 2023)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/3333");
script_cve_id("CVE-2001-1109");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_name("EFTP tells if a given file exists");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2001 Michel Arboi");
script_family("FTP");
script_dependencies("ftpserver_detect_type_nd_version.nasl", "logins.nasl");
script_require_ports("Services/ftp", 21);
script_mandatory_keys("ftp/eftp/detected");
script_tag(name:"summary", value:"The remote FTP server can be used to determine if a given
file exists on the remote host or not, by adding dot-dot-slashes in front of them.");
script_tag(name:"insight", value:"For instance, it is possible to determine the presence
of \autoexec.bat by using the command SIZE or MDTM on ../../../../autoexec.bat");
script_tag(name:"impact", value:"An attacker may use this flaw to gain more knowledge about
this host, such as its file layout. This flaw is specially useful when used with other vulnerabilities.");
script_tag(name:"solution", value:"Update your EFTP server to 2.0.8.348 or change it.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
include("ftp_func.inc");
include("misc_func.inc");
include("port_service_func.inc");
cmd[0] = "SIZE";
cmd[1] = "MDTM";
kb_creds = ftp_get_kb_creds();
login = kb_creds["login"];
pass = kb_creds["pass"];
port = ftp_get_port( default:21 );
banner = ftp_get_banner( port:port );
if( ! banner || "EFTP " >!< banner )
exit( 0 );
vuln = 0;
soc = open_sock_tcp( port );
if( soc ) {
if( login && ftp_authenticate( socket:soc, user:login, pass:pass ) ) {
for( i = 0; cmd[i]; i = i + 1 ) {
req = string( cmd[i], " ../../../../../../autoexec.bat\r\n" );
send(socket:soc, data:req);
r = ftp_recv_line( socket:soc );
if( "230 " >< r ) vuln = vuln + 1;
}
} else {
# We could not log in or could not download autoexec.
# We'll just attempt to grab the banner and check for version
# <= 2.0.7
# I suppose that any version < 2 is vulnerable...
r = ftp_recv_line( socket:soc );
if( egrep( string:r, pattern:".*EFTP version ([01]|2\.0\.[0-7])\..*" ) ) {
vuln = 1;
}
}
close( soc );
if( vuln ) {
security_message(port:port);
exit(0);
}
exit(99);
}
#
# NB: This server is also vulnerable to another attack.
#
# Date: Thu, 13 Dec 2001 12:59:43 +0200
# From: "Ertan Kurt" <[email protected]>
# Affiliation: Olympos Security
# To: [email protected]
# Subject: EFTP 2.0.8.346 directory content disclosure
#
# It is possible to see the contents of every drive and directory of
# vulnerable server.
# A valid user account is required to exploit this vulnerability.
# It works both with encryption and w/o encryption.
# Here's how it's done:
# the user is logged in to his home directory (let's say d:\userdir)
# when the user issues a CWD to another directory server returns
# permission denied.
# But, first changing directory to "..." (it will chdir to d:\userdir\...)
# then issuing a CWD to "\" will say permission denied but it will
# successfully change to root directory of the current drive.
# And every time we want to see a dir's content, we first CWD to our
# home directory and then CWD ... and then CWD directly to desired
# directory (CWD c:/ or c:/winnt etc)
#
# So it is possible to see directory contents but i did not test to see
# if there is a possible way to get/put files.
#