Bugtraq mailing list archives
Broker FTP unauthorized directory browsing and plain text password storing
From: Kotarac Ante <astral () 403-SECURITY ORG>
Date: Tue, 21 Nov 2000 19:52:06 -0000
********************************************************** *********** 403-SECURITY advisory ********************************************************** *********** Issue: Broker FTP unauthorized directory browsing and plain text password storing Author: Astral [astral () 403-security org] Discovered: 07.11.2000 Published: 22.11.2000 Version: 4.7.5.0 (others are probably vulnerable too) Vendor: TransSoft I. Description: Broker FTP is powerful FTP server which runs on Windows platform, it is possible to administer it trough Web browser. II. Problem: Broker FTP is vulnerable to two very dangerous attack. First one allows attacker to browse servers whole disk while second one allows attacker to fetch passwords and account information easily. Also in log files password is written (in plain-text, but it shouldn't be written in it anyway !?). NOTE: We take no responsibility for damage caused by this example. III. 1st problem Anyone including anonymous can browse whole server disk, very simply. Example: Connected to 127.0.0.1. 220 FTP Server ready [***] User (127.0.0.1:(none)): anonymous 331 Password required for anonymous. Password: anything 230 User anonymous logged in. ftp> ls x:\ where x is letter of hard drive you want to browse. IV. 2nd problem Administrator password is stored in %%WinDir%% \BrokerProfiles.Dat in plain-text format (it could be ROT13 encrypted at least ;-) ) Other accounts and user information (rights, telephone, fax ...) are stored in %%ProgramDir%%\Data\Users in following format: username|passwd|30.12.1899|30.12.1899|homedir||na me|fax|phone|address||0|rights|0| login message|logoff message|Maximum transfer speed RIGHTS are stored in this format: xxxxxxxxxxx if x is 1 then user has access to that feature and if it 's 0 it doesn't. 1st number: User Can ZIP files on remote computer 2nd number: user can UNZIP files on remote server 3rd number: User can COPY files on remote server 4th number: User can EXECUTE files on remote server 5th number: User can CHANGE PASSWORD on server 6h number: User can DOWNLOAD files 7th number: User can Upload Files 8th number: User can CREATE DIRECTORIES 9th number: User can REMOVE DIRECTORIES 10th number: User can DELETE files V. Fix Vendor has issued a new version to fix this two problems. Download: NT/2000: http://www.transsoft.com/broker/updates/broker40nt.e xe Win95/98: http://www.transsoft.com/broker/updates/broker40b.e xe {Vendor was extremely friendly and professional} This advisory is RFPolicy [http://www.wiretrip.net/rfp/policy.html] compatible
Current thread:
- Broker FTP unauthorized directory browsing and plain text password storing Kotarac Ante (Nov 24)