###################################################
01. ### AdvisoryInformation ###
Title:DirectoryTraversalVulnerability in ColoradoFTP v1.3PrimeEdition(Build8)Date published: n/a
Date of last update: n/a
Vendors contacted:ColoradoFTP author SergeiAbramovDiscovered by:Rv3Laboratory[ResearchTeam]Severity:High02. ### VulnerabilityInformation ###
OVE-ID:OVE-20160718-0006CVSS v2 BaseScore:8.5CVSS v2 Vector:(AV:N/AC:M/Au:S/C:C/I:C/A:C)Component/s:ColoradoFTPCore v1.3Class:PathTraversal03. ### Introduction ###
ColoradoFTP is the opensourceJavaFTPserver. It is fast, reliable and
extendable.
Fully compatible withRFC959 and RFC3659(FileTransferProtocol and
Extensions)this implementation makes it easy toextend the functionality withvirtually any feature.
Well commented source code and existing plug-ins make it possible toshape the
FTP server just the way you want!
http://cftp.coldcore.com/04. ### VulnerabilityDescription ###
Thedefault installation and configuration of ColoradoFTPPrimeEdition(Build8) is prone toa
security vulnerability. ColoradoFTP contains a flaw that may allow a
remote attacker totraverse directories on the FTPserver.
A remote attacker (a colorado FTP user) can send a command (MKDIR,PUT,GET or DEL) followed by sequences (\\\..\\)totraverse directories
and create, upload, download or delete the contents of arbitrary files
and directories on the FTPserver.
To exploit the vulnerability It is important touse "\\\" at the
beginning of string.05. ### TechnicalDescription/Proof of ConceptCode ###
By supplying "\\\..\\..\\..\\..\\" in the file path, it is possible totrigger a directory traversal flaw, allowing the attacker
(anonymous user or ColoradoFTP user)toupload or download a file
outside the virtual directory.05.01We tried toupload a file (netcat - nc.exe),toWindows%systemroot%
directory (C:\WINDOWS\system32\) using a PUT command:
ftp> put nc.exe \\\..\\..\\..\\Windows\\system32\\nc.exe
Netcat was successfully uploaded.05.02We tried tocreate a directory (test), using a MKDIR command:
ftp> mkdir nc.exe \\\..\\..\\..\\test
The directory test was successfully created.06. ### BusinessImpact ###
This may allow an attacker toupload and download files from remote machine.07. ### SystemsAffected ###
This vulnerability was tested against:ColoradoFTP v1.3PrimeEdition(Build8)O.S.:MicrosoftWindows732bit
JDK: v1.7.0_79Others versions are probably affected too, but they were not checked.08. ### VendorInformation,Solutions and Workarounds ###
This issue is fixed in ColoradoFTPPrimeEdition(Build9),
which can be downloaded from:
http://cftp.coldcore.com/download.htm
09. ### Credits ###
Rv3Laboratory[ResearchTeam]-www.Rv3Lab.org
This vulnerability has been discovered by:Rv3Lab-[www.rv3lab.org]-research(at)rv3lab(dot)org
ChristianCatalano aka wastasy -wastasy(at)rv3lab(dot)org
MarcoFornaro aka Chaplin89-chaplin89(at)rv3lab(dot)org
10. ### VulnerabilityHistory ###
July07th,2016:Vulnerabilitydiscovered.
July19th,2016:Vendor informed.[ColoradoFTP team]July21st,2016:Vendor responds asking fordetails.
July28th,2016:Sent detailed information tothevendor.
August08th,2016:Vendor confirms vulnerability.
August10th,2016:Vendor reveals patch release date.
August11th,2016:Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied "as-is"withno warranties or guarantees of fitness of use or otherwise.
We accept no responsibility for any damage caused by the use or misuse of
this information.12. ### AboutRv3Lab ###
Rv3Lab is an independent SecurityResearchLab.
For more information, please visit [www.Rv3Lab.org]For more information regarding the vulnerability feel free tocontact the
Rv3ResearchTeam:research(at)rv3lab(dot)org
###################################################
