WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS AFFECTED SYSTEMS WFTPD 32-bit (X86) version 3.00 R5, probably others DESCRIPTION 1) Directory Traversal WFTPD v3.00 R5 is vulnerable to a directory traversal bug that allows remote users to browse through any directory on the victim's harddrive. This is possible by sending the command : CD .../ as much as needed to go up in the directory tree then you can map out the current directory contents via LS and dive into the subdirs with CD, using GET to retrieve the files of your liking ;) 2) Buffer Overflow / DoS WFTPD also contains a buffer overflow condition when trying to map out a directory containing a very long filename, combined with our path full of dots : an internal buffer overflow will overwrite some registers at about 250 chars. Users that have write access (to their home dir for example, default permission) can create a special 'overflow' file, and then map out the directory using LS, effectively causing a DoS. The buffer overflow may be exploitable and be used to gain SYSTEM privileges to the remote host. In brief, when we would want to exploit the bof we would : First have to find out what our homedir's name is on the victim machine, because our buffer consists of something like : C:\OUR_HOMEDIR_BUT_WE_DONT_KNOW_THE_LENGTH\............\OUR_HOMEDIR_BUT_WE_DONT_KNOW_THE_LENGTH\FILE_WITH_LONG_FILENAME_WHICH_WE_HAVE_CREATED_THAT_MAKES_THE_OVERFLOW_HAPPEN So, basically, we need to know the length of the home directory to know where our EIP is at... Using the traversal bug, listing out the directory contents, we can figure this out. In practice it might be easier to find this out but this is just a first idea... Then we would login as the same user, create the file with the long filename in our homedirectory, go to root (\) using as much dots as needed to position our new EIP, going back into our homedirectory and issuing an LS command, causing the buffer overflow. yours faithfully, [ByteRage] __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
This archive was generated by hypermail 2b30 : Sat Jun 02 2001 - 19:55:53 PDT