Core FTP 'XCRC' 命令目录遍历漏洞

Core FTP 'XCRC' 命令目录遍历漏洞

发布日期：2014-02-05
更新日期：2014-02-22

受影响系统：
Core FTP Core FTP 1.x
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 65430
CVE(CAN) ID: CVE-2014-1442

CoreFTP是免费的FTP客户端。

Core FTP 1.2 build 511及其他版本处理"XCRC"命令时目录遍历漏洞，这可使攻击者获取FTP根目录之外的文件信息。

<*来源：Luciano Martins
        Fara Rustein
 
  链接：http://www.securelist.com/en/advisories/56850
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Fara Rustein （）提供了如下测试方法：
Proof of Concept:
1) Log in to the Core FTP Server.
2) Use the "XCRC" command with a filename that does not exist on the user designated root directory.
3) Observe the "550 File not found.." response.
4) Use the "XCRC" command with a filename belonging to a file residing directly outside the user designated root folder (one level higher than the root directory).
5) Observe the "550 File not found.." response.
6) Use the "XCRC" command with the same filename as before, but add "/../" in front of the file name.
7) Observe the 250 response.

建议：
--------------------------------------------------------------------------------
厂商补丁：

Core FTP
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.coreftp.com/
http://coreftp.com/forums/viewtopic.php?t=2985707