Vulnerabilities > CVE-1999-0082

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
ftp
ftpcd
critical
nessus

Summary

CWD ~root command in ftpd allows root access.

Vulnerable Configurations

Part Description Count
Application
Ftp
1
Application
Ftpcd
1

Nessus

NASL familyFTP
NASL idFTP_CWD_ROOT.NASL
descriptionThe remote FTP server is affected by a flaw that may allow a remote attacker to gain unauthorized privileges. An attacker can exploit this flaw by issuing a specially crafted request to the
last seen2020-06-01
modified2020-06-02
plugin id10083
published1999-06-22
reporterThis script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/10083
titleFTP 'CWD ~root' Command Privilege Escalation
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10083);
 script_version("1.38");
 script_cvs_date("Date: 2018/08/31 12:25:01");

 script_cve_id("CVE-1999-0082");

 script_name(english:"FTP 'CWD ~root' Command Privilege Escalation");
 script_summary(english:"Attempts to get root privileges.");

 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is affected by a command privilege escalation
vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote FTP server is affected by a flaw that may allow a remote
attacker to gain unauthorized privileges. An attacker can exploit this
flaw by issuing a specially crafted request to the 'CWD ~root'
command.");
 # https://web.archive.org/web/20020903230356/http://www.whitehats.com/info/IDS318
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?78eedaee");
 script_set_attribute(attribute:"solution", value:
"Disallow FTP login for root, and make sure root's home directory is
not world readable.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"1988/11/01");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:ftp:ftp");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:ftpcd:ftpcd");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_copyright(english: "This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

 script_family(english:"FTP");

 script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl", "ftp_root.nasl");
 script_require_keys("ftp/login", "Settings/ParanoidReport");
 script_exclude_keys("global_settings/supplied_logins_only");
 script_require_ports("Services/ftp", 21);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ftp_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

vuln = FALSE;
report = '';

login = get_kb_item_or_exit("ftp/login");
password = get_kb_item("ftp/password");

port = get_ftp_port(default: 21);

wri = get_kb_item("ftp/"+port+"/writable_root");
if (! wri) wri = get_kb_item("ftp/writable_root");

# It the root directory is already writable, then
# we can't do the test
if(wri)exit(0, "The FTP root directory on port "+port+" is already writable.");

soc = open_sock_tcp(port);
if (! soc) audit(AUDIT_SOCK_FAIL, port);

ftp_debug(str:"custom banner");
b = ftp_recv_line(socket:soc);
d = ('USER ' + login + '\r\n');
send(socket:soc, data:d);
b = ftp_recv_line(socket:soc);

d = 'CWD ~root\n';
send(socket:soc, data:d);
b = ftp_recv_line(socket:soc);

report = 'The command "CWD ~root" produced the following result :\n\n' +
         b +'\n' +
         '\n----------------------------------------------------\n';

d = ('PASS ' + password + '\r\n');
send(socket:soc, data:d);
b = ftp_recv_line(socket:soc);

send(socket:soc, data: 'CWD /\r\n');
a = ftp_recv_line(socket:soc);

port2 = ftp_pasv(socket:soc);
if(!port2) exit(1, "Could not determine the FTP passive port.");

soc2 = open_sock_tcp(port2);
if ( ! soc2 ) audit(AUDIT_SOCK_FAIL, port2);

data = 'STOR .nessus_test_2\r\n';
send(socket:soc, data:data);
r = recv_line(socket:soc, length:3);

report += 'The command "STOR .nessus_test_2" produced the following result :\n\n' +
         r +'\n';

close(soc2);

if(r == "425")
{
  vuln = TRUE;
  data = 'DELE .nessus_test_2\r\n';
  send(socket:soc,data:data);
  ftp_recv_line(socket:soc);
}

data = 'QUIT\r\n';

send(socket:soc, data:data);
ftp_recv_line(socket:soc);
close(soc);

if (vuln)
{
  set_kb_item(name:"ftp/"+port+"/root_via_cwd", value:TRUE);

  if (report_verbosity > 0) security_hole(port:port, extra:report);
  else security_hole(port);
}
else audit(AUDIT_LISTEN_NOT_VULN, "FTP", port);