FTP Server Directory Traversal

Created 3/9/01

Impact

The FTP server allows anonymous users to read arbitrary files on the system. If the password or shadow file can be read, the attacker could crack account passwords and gain access to the system.

Background

Anonymous FTP servers normally service requests only for files under the anonymous FTP home directory. For example, if server has its anonymous FTP directory in /var/ftp, and it receives a request for ftp://server/filename, it sends the file /var/ftp/filename back to the client.

The Problem

Operating systems allow path names to refer to a parent directory using the "../" string. An attacker could attempt to exploit this feature to retrieve files from directories outside of the anonymous FTP directory. Most FTP servers remove the "../" strings from requested file names. However, some FTP servers can still be exploited by using three dots instead of two (".../").

Related CVE entries:
CVE 2001-0295 War FTP
CVE 2001-0680 QPC QVT/Net and AVT/Term
CVE 2001-0963 SpoonFTP

Resolutions

Contact the vendor of the FTP server for a fix. If a fix is unavailable, it would be advisable to choose a different FTP server.

Where can I read more about this?

For some examples of this vulnerability, see the following postings to Bugtraq: TYPSoft, FtpXQ, and SlimServe FTPd.