OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ByteRage (byterageyahoo.com)
Date: Fri May 25 2001 - 06:33:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    WFTPD 32-bit (X86) 3.00 R5 Directory Traversal /
    Buffer Overflow / DoS

    AFFECTED SYSTEMS

    WFTPD 32-bit (X86) version 3.00 R5 on Windows 95 / 98
    / SE / ME is vulnerable to a directory traversal, all
    versions of windows are likely to be vulnerable to the
    buffer overflow / DoS

    DESCRIPTION

    1) Directory Traversal
    (for the examples given here, I used windows' FTP.EXE
    program as the client, most commands are not the ones
    interpreted by the ftp server, but commands to
    FTP.EXE, actually LS would be LIST, ls would be NLST,
    CD would be CWD, LS -d would be LIST -d, etc...)

    WFTPD v3.00 R5 is vulnerable to a directory traversal
    bug that allows remote users to browse through any
    directory on the victim's harddrive. This is possible
    by sending the command :

    CD .../

    as much as needed to go up in the directory tree then
    you can map out the current directory contents via

    LS

    and dive into the subdirs with CD, using GET to
    retrieve the files of your liking as the permissions
    seem to be incorrect... I think you also have write
    access... ouchy

    2) Buffer Overflow / DoS
    WFTPD also contains a buffer overflow condition when
    trying to map out a directory containing a very long
    filename, that can be combined with our path full of
    dots : an internal buffer overflow will overwrite some
    registers at about 250 chars. Users that have write
    access (to their home dir for example, default
    permission) can create a special 'overflow' file, and
    then map out the directory using LS, effectively
    causing a DoS. The buffer overflow may be
    exploitable and be used to gain access to the remote
    host.

    The bug can be reproduced by placing a file with a
    very long filename (about 255 chars) in the
    rootdirectory, then making a homedirectory for one
    user that has a filename of let's say 20 chars. Then
    if the user logs in, and does something like this :

    CD
    .................................................................../
    CD homedir
    LS

    or even easier :
    just doing something like
    CD ............../
    LS
    CD
    ....................................................................................../
    LS
    CD ......................................./
    LS

    etc... will make wftpd crash eventually, as the dots
    always get appended to the buffer. I have tested this
    bug on Windows 98.

    I also found a similar buffer overflow (at another
    place) when doing this :

    MKDIR
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    CD
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    LS -d

    (the homedir of the user was C:\RESTRICTED\, this also
    might affect the buffer overflow results) As you can
    see, here, the directory traversal bug is not needed,
    hence it is likely to work under NT / 2k...

    WORKAROUND

    The vendor has found a workaround for the directory
    traversal bug and put the following information on
    their site (www.wftpd.com) :

    "
    5/24/2001 - Directory traversal vulnerability -
    Windows 95, 98, ME.

    As noted in the "What's New" section of our most
    recent version, 3.00 R5, there is indeed an effect on
    WFTPD's behaviour caused by the new path name
    expansion code. On Windows 95, 98, and ME, the string
    "..." is understood by the operating system to mean
    "up two directories" - this is not currently expanded
    out in our code, and is hence passed into the
    operating system, leading to the ability of a user to
    venture outside of his/her restrictions, and possibly
    to touch files not in accordance with defined rights.
    Again, as noted in the "What's New" section of our
    help file, this can be disabled by adding the entry
    "GFPNMethod=0" to your WFTPD.INI file, in the
    "[Server]" section. If you do not have a "[Server]"
    section, then it can be created anywhere in the file.
    Do not create two sections labeled "[Server]", as only
    the first will be accessed.

    Thanks go to joetesta for reporting this problem to
    me. Byterage also reported this problem to the
    bugtraq mailing list, but did not contact me first,
    which I consider to be impolite at best. Because there
    is a valid workaround with no functional change, we
    will not be releasing a new version of the software to
    cover this vulnerability. WFTPD and WFTPD Pro are not
    vulnerable on Windows NT or 2000, either with or
    without the GFPNMethod setting."

    greetz,
    [ByteRage]

    PS : I'm not impolite ;)

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Auctions - buy the things you want at great prices
    http://auctions.yahoo.com/