Mindstorm Networks SmartFTP Daemon 0.2 Directory Traversal Vulnerability
BID:1344
Info
Mindstorm Networks SmartFTP Daemon 0.2 Directory Traversal Vulnerability
| Bugtraq ID: | 1344 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jun 13 2000 12:00AM |
| Updated: | Jun 13 2000 12:00AM |
| Credit: | Posted to Bugtraq on June 13, 2000 by Moritz Jodeit <[email protected]>. |
| Vulnerable: |
Mindstorm Networks SmartFTP Daemon 0.2 |
| Not Vulnerable: | |
Discussion
Mindstorm Networks SmartFTP Daemon 0.2 Directory Traversal Vulnerability
Each time an account is added to Mindstorm Networks SmartFTP Daemon, a unique user file is created that contains the password, user rights, and other pertinent details and utilizes the filename format of username.FTP_user. A user who has an existing account on SmartFTP Daemon (including anonymous) and possesses write access can gain full access to the host by modifying this particular user file and uploading it to anywhere on the filesystem.
This can be accomplished by uploading a specially modified user file with a filename of username.FTP_user containing an arbitrary username and full access rights. This file can then be accessed by entering a username of "../path/username" (the number of '../' corresponding with the number of directories to traverse) at the login prompt. This will grant access to the ftp server with the access rights specified in the user file.
Each time an account is added to Mindstorm Networks SmartFTP Daemon, a unique user file is created that contains the password, user rights, and other pertinent details and utilizes the filename format of username.FTP_user. A user who has an existing account on SmartFTP Daemon (including anonymous) and possesses write access can gain full access to the host by modifying this particular user file and uploading it to anywhere on the filesystem.
This can be accomplished by uploading a specially modified user file with a filename of username.FTP_user containing an arbitrary username and full access rights. This file can then be accessed by entering a username of "../path/username" (the number of '../' corresponding with the number of directories to traverse) at the login prompt. This will grant access to the ftp server with the access rights specified in the user file.
Exploit / POC
Mindstorm Networks SmartFTP Daemon 0.2 Directory Traversal Vulnerability
see discussion
see discussion
Solution / Fix
Mindstorm Networks SmartFTP Daemon 0.2 Directory Traversal Vulnerability
Solution:
Mindstorm Networks are aware of the issue and are working towards releasing a fix in the near future. In the meantime, Moritz Jodeit has released the following unofficial hotfix:
http://internet.exit.de/jodeit/sfd029hf.zip
Solution:
Mindstorm Networks are aware of the issue and are working towards releasing a fix in the near future. In the meantime, Moritz Jodeit has released the following unofficial hotfix:
http://internet.exit.de/jodeit/sfd029hf.zip
References
Mindstorm Networks SmartFTP Daemon 0.2 Directory Traversal Vulnerability
References:
References:
- SmartFTP Daemon Product Home Page (Mindstorm Networks)