Bugtraq mailing list archives

SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit

From: mjodeit () GMX DE (Moritz Jodeit)
Date: Tue, 13 Jun 2000 18:01:38 +0200


I found a bug in the SmartFTP-D Server which will give an attacker full
access to the server, if he has the right to write files on the server. For
every user, the program is checking if a special Userfile exists (Sample:
Username=hacker & Userfile=hacker.FTP_User). If it exists, the configuration,
like password, rights, etc. will be read out of this file. The program doesn't
check for bad characters, so by using "..\" you can switch to other
directorys. If an attacker has an account on the machine, where he can write files,
he can use this to get full access to the whole machine! Let's take this
example: Upload directory is D:\Upload and SmartFTP-D is installed in
D:\Program Files\SmartFTP Daemon. An attacker would upload a file called
exploit.FTP_User, which includes his own password and the rigths, he wishes to have. If
he now uses the Username "..\..\..\..\..\Upload\exploit", his uploaded
Userfile will be used and he can login.

mindstorm networks has been informed about this bug and a fix should be
available soon. Until they will release a fix, you can get my unofficial
HotFix at my homepage, which will implement the missing check-function for bad
characters in the Username.

-Moritz

--
Moritz Jodeit
http://jodeit.cjb.net

Sent through GMX FreeMail - http://www.gmx.net

Current thread:

Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5, (continued)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
  - Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
    - IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
    - Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
    - FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
    - RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
    - CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
    - SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
    - Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
  - Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
  - Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
  - Call For Participation - Raid 2000 Herve Debar (Jun 16)
  - Veritas Volume Manager 3.0.x hole Dixie Flatline (Jun 16)

(Thread continues...)