[NT] PowerFTP Server File Reading and DoS Vulnerabilities
From: support@securiteam.comDate: 02/18/02
- Previous message: support@securiteam.com: "[UNIX] HNS's webif.cgi Allows Overwriting of Diary Content"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 18 Feb 2002 22:27:36 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PowerFTP Server File Reading and DoS Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.cooolsoft.com/> PowerFTP Personal FTP Server is a
multithreaded FTP server for the MS Windows OS by Cooolsoft. The PowerFTP
server contains multiple vulnerabilities that could provide an attacker
with the capability to enumerate a system's structure, obtain read access
to any file on the system, and carry out a denial of service attack
against it.
DETAILS
Vulnerable systems:
PowerFTP version 2.10 and prior
PowerFTPd Information Disclosure Vulnerabilities
The PowerFTP server does not properly parse directory information to a
relative path. As such, executing a simple 'PWD' command on the server
will return the full system path of the current directory to the user.
In addition, FTP account information is stored unencrypted in the file
ftpserver.ini. Through either physical access to the machine or by abusing
one of the directory traversal attacks described below, elevated
privileges could be obtained on the system by retrieving this file.
PowerFTPd Directory Traversal Vulnerabilities
The PowerFTP server fails to properly restrict access to files outside of
the user directory. By either requesting a direct path to a file or
directory ('DIR c:\') or by applying a variety of the "double dot"
notation ('DIR \..\*.*') an attacker is able to break out of the assigned
directory and read/obtain any file on any system drive.
PowerFTP Buffer Overflow Vulnerabilities
Due to a failure to check the length of any of the arguments passed to the
PowerFTP server with any of the standard FTP commands, an attacker can
execute a denial of service attack against the PowerFTP server by sending
a string of 2050 bytes or more to the target system.
Upon receipt, the server will start consuming 100% CPU resources and will
become unresponsive. A restart of the application is required to regain
full functionality.
On a side note, the PowerFTP client that is distributed with this package
is literally riddled with overflow conditions like this as well.
Solution:
Vendor has been notified of these problems on January 12, 2002.
Recently PowerFTP v2.10 was released, which is advertised as safe and
efficient on the product web site. None of these mentioned issues was
fixed in this release. After unsuccessfully retrying to contact the
vendor, this has prompted the authors to publicly release this
information.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:vuln-dev@labs.secureance.com> Strumpf Noir Society.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] HNS's webif.cgi Allows Overwriting of Diary Content"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
