Re: RaidenFTPD v2.2 Arbitrary File Deletion Vulnerability

From: David LeBlanc (dleblanc@MINDSPRING.COM)
Date: 01/18/02


Date:         Fri, 18 Jan 2002 09:05:44 -0800
From: David LeBlanc <dleblanc@MINDSPRING.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


> -----Original Message-----
> From: Windows NTBugtraq Mailing List

> Summary:
> A vulnerability exists in Raiden FTPD v2.2, that can allow
> arbitrary users to delete any file on the system. Only files
> in the root directory (c:\, d:\, e:\ etc.) can be removed.

This is not a problem in Raiden. Arguably, there isn't a problem at all.
First, one has to understand how a FTP client functions to see how this
works.

> ftp> get c:\command.com
> Error opening local file command.com.
> > command.com:Permission denied

What you've just done here is told your FTP client to get a file called
command.com and place it in your C:\ directory. Here's what happens:

FTP client first checks to see if it can open the destination file and
truncate it. A network client should not bother remote servers unless it
can complete the local portion of the task. It then asks the remote
server for command.com. It doesn't exist, so the operation fails.

> And file has been deleted!

That's because you had write access to it. It won't repro if you try it
on a file you don't have access to.

Plus, let's examine how we got to that point - even if it really were a
vulnerability, we'd have to trick the local user into ftping to a site,
and issuing commands. If you have that level of control over the user,
you can do a lot worse.

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
============================================================================



Relevant Pages