EFTP 2.0.8.346 directory content disclosure

[Ertan Kurt <ertank () olympos org>]

There exists a vulnerability in EFTP 2.0.8.346
Vendor notified: 12/12/2001
Vendor reply/fix: 12/12/2001
Vendor Homepage: http://www.eftp.org/
Platforms tested:
windows nt 4 /sp6
windows 2000 /sp2
windows XP

----------=[ Program info ]=----------
> From vendor homepage:
"Encrypted File Transfer Protocol™ release 2 is the fast, easy way to
send and receive files to and from your PC. With data transfer rates
literally unaffected by real time encryption mode, the perfect
solution for total security. Compatible with most other Server or
Client based applications in standard 'non encrypted' mode."

----------=[ Vulnerability information ]=----------
It is possible to see the contents of every drive and directory of
vulnerable server.
A valid user account is required to exploit this vulnerability.
It works both with encryption and w/o encryption.
Here's how it's done:
the user is logged in to his home directory (let's say d:\userdir)
when the user issues a CWD to another directory server returns
permission denied.
But, first changing directory to "..." (it will chdir to d:\userdir\...)
then issuing a CWD to "\" will say permission denied but it will
successfully change to root directory of the current drive.
And everytime we want to see a dir's content, we first CWD to our
home directory and then CWD ...  and then CWD directly to desired
directory (CWD c:/ or c:/winnt etc)

So it is possible to see directory contents but i did not test to see
if there is a possible way to get/put files.

----------=[ Solution ]=----------
Vendor released a fixed version (2.0.8.348) which can be obtained from
vendor's homepage:
http://www.eftp.org/

Best Regards & Happy Xmas

Ertan Kurt

Ertan Kurt
Olympos Security
www.olympos.org