Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Broker FTP unauthorized directory browsing and plain text password storing

From: Kotarac Ante <astral () 403-SECURITY ORG>
Date: Tue, 21 Nov 2000 19:52:06 -0000
**********************************************************
***********
403-SECURITY advisory
**********************************************************
***********

Issue: Broker FTP unauthorized directory browsing 
and plain text password storing

Author: Astral [astral () 403-security org]

Discovered: 07.11.2000
Published: 22.11.2000
Version: 4.7.5.0 (others are probably vulnerable too)
Vendor: TransSoft

I. Description:
Broker FTP is powerful FTP server which runs on 
Windows platform, it is
possible to administer it trough Web browser.

II. Problem:
Broker FTP is vulnerable to two very dangerous 
attack. First one allows attacker
to browse servers whole disk while second one 
allows attacker to fetch passwords
and account information easily. 
Also in log files password is written (in plain-text, but 
it shouldn't be written 
in it anyway !?).

NOTE: We take no responsibility for damage caused 
by this example.

III. 1st problem
Anyone including anonymous can browse whole 
server disk, very simply.
Example:

Connected to 127.0.0.1.
220 FTP Server ready [***]
User (127.0.0.1:(none)): anonymous
331 Password required for anonymous.
Password: anything

230 User anonymous logged in.

ftp> ls x:\

where x is letter of hard drive you want to browse.

IV. 2nd problem
Administrator password is stored in %%WinDir%%
\BrokerProfiles.Dat in plain-text format 
(it could be ROT13 encrypted at least ;-) )
Other accounts and user information (rights, 
telephone, fax ...) are stored in
%%ProgramDir%%\Data\Users in following format:

username|passwd|30.12.1899|30.12.1899|homedir||na
me|fax|phone|address||0|rights|0|
login message|logoff message|Maximum transfer 
speed

RIGHTS are stored in this format:
xxxxxxxxxxx
if x is 1 then user has access to that feature and if 
it 's 0 it doesn't.
1st number: User Can ZIP files on remote computer
2nd number: user can UNZIP files on remote server
3rd number: User can COPY files on remote server
4th number: User can EXECUTE files on remote 
server
5th number: User can CHANGE PASSWORD on 
server
6h number: User can DOWNLOAD files
7th number: User can Upload Files
8th number: User can CREATE DIRECTORIES
9th number: User can REMOVE DIRECTORIES
10th number: User can DELETE files

V. Fix
Vendor has issued a new version to fix this two 
problems.
Download:
NT/2000:    
http://www.transsoft.com/broker/updates/broker40nt.e
xe
Win95/98:   
http://www.transsoft.com/broker/updates/broker40b.e
xe
{Vendor was extremely friendly and professional}

This advisory is RFPolicy
[http://www.wiretrip.net/rfp/policy.html] compatible
Previous By Date Next
Previous By Thread Next

Current thread: