CVE-1999-0082

Step 1: Connection Establishment: The attacker establishes an FTP connection to the vulnerable server. Step 2: Command Injection: The attacker sends the CWD ~root command to the FTP server. Step 3: Command Execution: The FTP server, due to a lack of input validation, interprets the ~root as a command to execute, potentially allowing the attacker to inject malicious commands. Step 4: Privilege Escalation: The injected commands are executed with root privileges, granting the attacker complete control over the system. Step 5: System Compromise: The attacker can now execute arbitrary commands, potentially installing backdoors, stealing data, or modifying system configurations.

The vulnerability lies within the handling of the CWD (Change Working Directory) command in vulnerable FTP daemons. Specifically, the FTP server fails to properly sanitize or validate user-supplied input when processing the CWD command, especially when the target directory is ~root. This allows an attacker to inject arbitrary commands into the server's execution context. When the server attempts to change the directory to ~root, it executes the injected commands with root privileges, leading to complete system compromise. The root cause is a lack of input validation and improper handling of the ~ (tilde) character, which expands to the home directory of the user, in this case, root's home directory.