Mailing List Archive: false positive (ftp_realpath)?

false positive (ftp_realpath)?

Jun 11, 2002, 10:32 AM

Post #1 of 6 (1385 views)

Hey folks,

I'm getting what I *think* is a false-positive from ftp_realpath.nasl, but I'm not sure why, so I'm wondering if I'm reading something wrong, or
if it's a bug, or... I may just be brain-dead today.

The plugin code:
data = string("CWD\n");
send(socket:soc, data:data);
a = recv_line(socket:soc, length:1024);
if("550 /" >< a)security_warning(port);

But if I FTP to it directly and send the CWD command:
ftp> CWD
?Invalid command
ftp>

My question is: why is it reporting a positive? I don't see "550 /" anywhere in the response...

Thanks for your help
--Sullo

Re: false positive (ftp_realpath)? [ In reply to ]

hdm at digitaloffense

Jun 11, 2002, 10:37 AM

Post #2 of 6 (1333 views)

On Tuesday 11 June 2002 12:32, Sullo wrote:
> But if I FTP to it directly and send the CWD command:
> ftp> CWD
> ?Invalid command
> ftp>

> My question is: why is it reporting a positive? I don't see "550 /"
> anywhere in the response...

The response you are seeing is from your ftp *client*, not the server. You
need to type:

ftp> quot CWD

This will send a raw CWD. Optionally, you can just telnet to the ftp port and
login with USER && PASS, then enter CWD manually.

-HD

Re: false positive (ftp_realpath)? [ In reply to ]

Jun 11, 2002, 10:48 AM

Post #3 of 6 (1328 views)

Thanks Noam--it was the "brain-dead" problem. That (and the plugin) work just fine...

> If you want to send "raw" commands, you need to do add a "QUOTE" prefix,
> resulting in: "QUOTE CWD":
> ftp> QUOTE CWD
> 501 Invalid number of arguments.
> ftp> QUOTE CWD \
> 550 \: No such file or directory

Re: false positive (ftp_realpath)? [ In reply to ]

deraison at nessus

Jun 11, 2002, 10:55 AM

Post #4 of 6 (1333 views)

On Tue, Jun 11, 2002 at 01:48:07PM -0400, Sullo wrote:
> Thanks Noam--it was the "brain-dead" problem. That (and the plugin) work just fine...

There was a bug anyway - it was sending CWD\n instead of CWD\r\n

-- Renaud

Re: false positive (ftp_realpath)? [ In reply to ]

tpublic at dimensional

Jun 11, 2002, 11:00 AM

Post #5 of 6 (1335 views)

On Tue, 11 Jun 2002, H D Moore wrote:

|This will send a raw CWD. Optionally, you can just telnet to the ftp port and
|login with USER && PASS, then enter CWD manually.

I used to IRC manually by telnet, and tried FTP. Once I figured out I had
to have another window for the data session, it was easy to prop up another
connection to receive the file.

Man, nothing like replacing pieces of a combustible engine with your body
parts to understand how things really work.

.nhoJ

Re: false positive (ftp_realpath)? [ In reply to ]

noamr at beyondsecurity

Jun 11, 2002, 11:37 AM

Post #6 of 6 (1330 views)

Hi,

If you want to send "raw" commands, you need to do add a "QUOTE" prefix,
resulting in: "QUOTE CWD":
501 Invalid number of arguments.
550 \: No such file or directory

Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

----- Original Message -----
From: "Sullo" <sq@cirt.net>
To: <plugins-writers@list.nessus.org>
Sent: Tuesday, June 11, 2002 19:32
Subject: false positive (ftp_realpath)?

> Hey folks,
>
> I'm getting what I *think* is a false-positive from ftp_realpath.nasl, but
I'm not sure why, so I'm wondering if I'm reading something wrong, or
> if it's a bug, or... I may just be brain-dead today.
>
> The plugin code:
> data = string("CWD\n");
> send(socket:soc, data:data);
> a = recv_line(socket:soc, length:1024);
> if("550 /" >< a)security_warning(port);
>
> But if I FTP to it directly and send the CWD command:
> ftp> CWD
> ?Invalid command
> ftp>
>
> My question is: why is it reporting a positive? I don't see "550 /"
anywhere in the response...
>
> Thanks for your help
> --Sullo
>