WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS AFFECTED SYSTEMS WFTPD 32-bit (X86) version 3.00 R5 on Windows 95 / 98 / SE / ME is vulnerable to a directory traversal, all versions of windows are likely to be vulnerable to the buffer overflow / DoS DESCRIPTION 1) Directory Traversal (for the examples given here, I used windows' FTP.EXE program as the client, most commands are not the ones interpreted by the ftp server, but commands to FTP.EXE, actually LS would be LIST, ls would be NLST, CD would be CWD, LS -d would be LIST -d, etc...) WFTPD v3.00 R5 is vulnerable to a directory traversal bug that allows remote users to browse through any directory on the victim's harddrive. This is possible by sending the command : CD .../ as much as needed to go up in the directory tree then you can map out the current directory contents via LS and dive into the subdirs with CD, using GET to retrieve the files of your liking as the permissions seem to be incorrect... I think you also have write access... ouchy 2) Buffer Overflow / DoS WFTPD also contains a buffer overflow condition when trying to map out a directory containing a very long filename, that can be combined with our path full of dots : an internal buffer overflow will overwrite some registers at about 250 chars. Users that have write access (to their home dir for example, default permission) can create a special 'overflow' file, and then map out the directory using LS, effectively causing a DoS. The buffer overflow may be exploitable and be used to gain access to the remote host. The bug can be reproduced by placing a file with a very long filename (about 255 chars) in the rootdirectory, then making a homedirectory for one user that has a filename of let's say 20 chars. Then if the user logs in, and does something like this : CD .................................................................../ CD homedir LS or even easier : just doing something like CD ............../ LS CD ....................................................................................../ LS CD ......................................./ LS etc... will make wftpd crash eventually, as the dots always get appended to the buffer. I have tested this bug on Windows 98. I also found a similar buffer overflow (at another place) when doing this : MKDIR AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA LS -d (the homedir of the user was C:\RESTRICTED\, this also might affect the buffer overflow results) As you can see, here, the directory traversal bug is not needed, hence it is likely to work under NT / 2k... WORKAROUND The vendor has found a workaround for the directory traversal bug and put the following information on their site (www.wftpd.com) : " 5/24/2001 - Directory traversal vulnerability - Windows 95, 98, ME. As noted in the "What's New" section of our most recent version, 3.00 R5, there is indeed an effect on WFTPD's behaviour caused by the new path name expansion code. On Windows 95, 98, and ME, the string "..." is understood by the operating system to mean "up two directories" - this is not currently expanded out in our code, and is hence passed into the operating system, leading to the ability of a user to venture outside of his/her restrictions, and possibly to touch files not in accordance with defined rights. Again, as noted in the "What's New" section of our help file, this can be disabled by adding the entry "GFPNMethod=0" to your WFTPD.INI file, in the "[Server]" section. If you do not have a "[Server]" section, then it can be created anywhere in the file. Do not create two sections labeled "[Server]", as only the first will be accessed. Thanks go to joetesta for reporting this problem to me. Byterage also reported this problem to the bugtraq mailing list, but did not contact me first, which I consider to be impolite at best. Because there is a valid workaround with no functional change, we will not be releasing a new version of the software to cover this vulnerability. WFTPD and WFTPD Pro are not vulnerable on Windows NT or 2000, either with or without the GFPNMethod setting." greetz, [ByteRage] PS : I'm not impolite ;) __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 08:30:42 PDT