WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS

[ByteRage <byterage () yahoo com>]

WFTPD 32-bit (X86) 3.00 R5 Directory Traversal /
Buffer Overflow / DoS

AFFECTED SYSTEMS

WFTPD 32-bit (X86) version 3.00 R5 on Windows 95 / 98
/ SE / ME is vulnerable to a directory traversal, all
versions of windows are likely to be vulnerable to the
buffer overflow / DoS

DESCRIPTION

1) Directory Traversal
(for the examples given here, I used windows' FTP.EXE
program as the client, most commands are not the ones
interpreted by the ftp server, but commands to
FTP.EXE, actually LS would be LIST, ls would be NLST,
CD would be CWD, LS -d would be LIST -d, etc...)

WFTPD v3.00 R5 is vulnerable to a directory traversal
bug that allows remote users to browse through any
directory on the victim's harddrive. This is possible
by sending the command :

CD .../

as much as needed to go up in the directory tree then
you can map out the current directory contents via

LS

and dive into the subdirs with CD, using GET to
retrieve the files of your liking as the permissions
seem to be incorrect... I think you also have write
access... ouchy

2) Buffer Overflow / DoS
WFTPD also contains a buffer overflow condition when
trying to map out a directory containing a very long
filename, that can be combined with our path full of
dots : an internal buffer overflow will overwrite some
registers at about 250 chars. Users that have write
access (to their home dir for example, default
permission) can create a special 'overflow' file, and
then map out the directory using LS, effectively
causing a DoS. The buffer overflow may be exploitable
and be used to gain access to the remote host.

The bug can be reproduced by placing a file with a
very long filename (about 255 chars) in the
rootdirectory, then making a homedirectory for one
user that has a filename of let's say 20 chars. Then
if the user logs in, and does something like this :

CD
.................................................................../
CD homedir
LS

or even easier :
just doing something like
CD ............../
LS
CD
....................................................................................../
LS
CD ......................................./
LS

etc... will make wftpd crash eventually, as the dots
always get appended to the buffer. I have tested this
bug on Windows 98.

I also found a similar buffer overflow (at another
place) when doing this :

MKDIR
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
CD
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
LS -d

(the homedir of the user was C:\RESTRICTED\, this also
might affect the buffer overflow results) As you can
see, here, the directory traversal bug is not needed,
hence it is likely to work under NT / 2k...

WORKAROUND

The vendor has found a workaround for the directory
traversal bug and put the following information on
their site (www.wftpd.com) :

"
5/24/2001 - Directory traversal vulnerability -
Windows 95, 98, ME.

As noted in the "What's New" section of our most
recent version, 3.00 R5, there is indeed an effect on
WFTPD's behaviour caused by the new path name
expansion code.  On Windows 95, 98, and ME, the string
"..." is understood by the operating system to mean
"up two directories" - this is not currently expanded
out in our code, and is hence passed into the
operating system, leading to the ability of a user to
venture outside of his/her restrictions, and possibly
to touch files not in accordance with defined rights. 
Again, as noted in the "What's New" section of our
help file, this can be disabled by adding the entry
"GFPNMethod=0" to your WFTPD.INI file, in the
"[Server]" section.  If you do not have a "[Server]"
section, then it can be created anywhere in the file. 
Do not create two sections labeled "[Server]", as only
the first will be accessed.

Thanks go to joetesta for reporting this problem to
me.  Byterage also reported this problem to the
bugtraq mailing list, but did not contact me first,
which I consider to be impolite at best. Because there
is a valid workaround with no functional change, we
will not be releasing a new version of the software to
cover this vulnerability.  WFTPD and WFTPD Pro are not
vulnerable on Windows NT or 2000, either with or
without the GFPNMethod setting."

======================================================[ByteRage]
<byterage () yahoo com> [www.byterage.cjb.net]
======================================================



__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/