OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ByteRage (byterageyahoo.com)
Date: Sat May 26 2001 - 11:44:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    GuildFTPD v0.97 Directory Traversal / Weak password
    encryption

    AFFECTED SYSTEMS

    GuildFTPD v0.97
    tested on Windows 9x, probably works on NT / 2k as
    well

    DESCRIPTION

    1) Directory Traversal
    Consider the following FTP session (I'm using windows'
    FTP.EXE proggie, and its associated commands) :

    The following commands :
    CD ../
    CD .../
    CD /.../
    CD c:\
    etc...
    all give "550 Access denied." errors, so the frontdoor
    seems to be closed... The following stuff *does* work
    however :

    LS /../*

    This way, we can map out the whole harddrive...
    other example : LS /../../windows/*

    Now, to retrieve a file, do something like :

    GET /../windows/system.ini c:\received-file.txt

    2)
    And another thing... I don't want to whine to the guys
    who wrote this program, but storing the user:password
    pairs in plaintext in the program directory (the
    default.usr & default?.usr files) is asking for
    trouble : most ftp servers at least provide some way
    of
    encryption / hashing... when you combine this with the
    traversal bug, anyone can get the passwords of all the
    users by grabbing the default.usr file.

    VENDOR STATUS

    I have sent this advisory to both DrPhibez
    <guildftpdztnet.com> and Nitro187 (Matthew
    Flewelling) <nitrozophar.net>, the programmers of
    GuildFTPD

    =======================================================
    [ByteRage] <byterageyahoo.com> [www.byterage.cjb.net]
    =======================================================

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Auctions - buy the things you want at great prices
    http://auctions.yahoo.com/