smartftp.txt

`I found a bug in the SmartFTP-D Server which will give an attacker full  
access to the server, if he has the right to write files on the server. For  
every user, the program is checking if a special Userfile exists (Sample:  
Username=hacker & Userfile=hacker.FTP_User). If it exists, the configuration,  
like password, rights, etc. will be read out of this file. The program doesn't  
check for bad characters, so by using "..\" you can switch to other  
directorys. If an attacker has an account on the machine, where he can write files,  
he can use this to get full access to the whole machine! Let's take this  
example: Upload directory is D:\Upload and SmartFTP-D is installed in  
D:\Program Files\SmartFTP Daemon. An attacker would upload a file called  
exploit.FTP_User, which includes his own password and the rigths, he wishes to have. If  
he now uses the Username "..\..\..\..\..\Upload\exploit", his uploaded  
Userfile will be used and he can login.  
  
mindstorm networks has been informed about this bug and a fix should be  
available soon. Until they will release a fix, you can get my unofficial  
HotFix at my homepage, which will implement the missing check-function for bad  
characters in the Username.  
  
-Moritz  
  
--  
Moritz Jodeit  
http://jodeit.cjb.net  
`