PowerFTP Personal FTP Server Multiple Vulnerabilities

From: Strumpf Noir Society (vuln-dev@labs.secureance.com)
Date: 02/11/02

Date: Mon, 11 Feb 2002 19:09:28 +0100
From: Strumpf Noir Society <vuln-dev@labs.secureance.com>
To: bugtraq@securityfocus.com

Strumpf Noir Society Advisories
! Public release !

-= PowerFTP Personal FTP Server Multiple Vulnerabilities =-

Release date: Monday, February 11, 2002


PowerFTP Personal FTP Server is a multithreaded FTP server
for the MS Windows OS by Cooolsoft.

The PowerFTPd is available from vendor Cooolsoft's website:


The PowerFTP server contains multiple vulnerabilities which could
provide an attacker with the capability to ennumerate a system's
structure, obtain read access to any file on the system and carry
out a denial of service attack against it.

PowerFTPd Information Disclosure Vulnerabilities

The PowerFTP server does not properly parse directory information
to a relative path. As such, executing a simple 'PWD' command on
the server will return the full system path of the current directory
to the user.

Also, FTP account information is stored unencrypted in the file
ftpserver.ini. Through either physical access to the machine or by
abusing one of the directory traversal attacks described below,
elevated privileges could be obtained on the system by retrieving
this file.

PowerFTPd Directory Traversal Vulnerabilities

The PowerFTP server fails to properly restrict access to files outside
of the user directory. By either requesting a direct path to a file or
directory ('DIR c:\') or by applying a variety of the "double dot"
notation ('DIR \..\*.*') an attacker is able to break out of the assigned
directory and read/obtain any file on any system drive.

PowerFTP Buffer Overflow Vulnerabilities

Due to a failure to check the length of any of the arguments passed
to the PowerFTP server with any of the standard FTP commands, an
attacker can execute a denial of service attack against the PowerFTP
server by sending a string of 2050 bytes or more to the target system.

Upon receipt, the server will start consuming 100% cpu resources and
will become unresponsive. A restart of the application is required to
regain full functionality.

On a side note, the PowerFTP client which is distributed with this
package is literally riddled with overflow conditions like this as



Vendor has been notified of these problems on January 12, 2002. We
have yet to receive a reply. Recently PowerFTP v2.10 was released,
which is advertised as safe and efficient on the product web site.
None of these issues were fixed in this release. After unsuccessfully
retrying to contact the vendor, this has prompted us to publicly
release this information.

This was tested against PowerFTP Personal FTP Server v2.03 and PowerFTP
Personal FTP Server v2.10 on Win2k.


SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!

Relevant Pages