Strumpf Noir Society Advisories ! Public release ! <--# -= PowerFTP Personal FTP Server Multiple Vulnerabilities =- Release date: Monday, February 11, 2002 Introduction: PowerFTP Personal FTP Server is a multithreaded FTP server for the MS Windows OS by Cooolsoft. The PowerFTPd is available from vendor Cooolsoft's website: http://www.cooolsoft.com Problem(s): The PowerFTP server contains multiple vulnerabilities which could provide an attacker with the capability to ennumerate a system's structure, obtain read access to any file on the system and carry out a denial of service attack against it. PowerFTPd Information Disclosure Vulnerabilities The PowerFTP server does not properly parse directory information to a relative path. As such, executing a simple 'PWD' command on the server will return the full system path of the current directory to the user. Also, FTP account information is stored unencrypted in the file ftpserver.ini. Through either physical access to the machine or by abusing one of the directory traversal attacks described below, elevated privileges could be obtained on the system by retrieving this file. PowerFTPd Directory Traversal Vulnerabilities The PowerFTP server fails to properly restrict access to files outside of the user directory. By either requesting a direct path to a file or directory ('DIR c:\') or by applying a variety of the "double dot" notation ('DIR \..\*.*') an attacker is able to break out of the assigned directory and read/obtain any file on any system drive. PowerFTP Buffer Overflow Vulnerabilities Due to a failure to check the length of any of the arguments passed to the PowerFTP server with any of the standard FTP commands, an attacker can execute a denial of service attack against the PowerFTP server by sending a string of 2050 bytes or more to the target system. Upon receipt, the server will start consuming 100% cpu resources and will become unresponsive. A restart of the application is required to regain full functionality. On a side note, the PowerFTP client which is distributed with this package is literally riddled with overflow conditions like this as well. (..) Solution: Vendor has been notified of these problems on January 12, 2002. We have yet to receive a reply. Recently PowerFTP v2.10 was released, which is advertised as safe and efficient on the product web site. None of these issues were fixed in this release. After unsuccessfully retrying to contact the vendor, this has prompted us to publicly release this information. This was tested against PowerFTP Personal FTP Server v2.03 and PowerFTP Personal FTP Server v2.10 on Win2k. yadayadayada SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!