Hexyn-sa-15.txt

`Hexyn / Securax Advisory #15 - G6 FTP Full Installation Path  
  
Topic: G6 FTP Full Installation Path  
Announced: 2001-02-17  
Affects: G6 FTP Server up to version 2.0  
  
DISCLAIMER:  
***********  
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.  
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.  
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.  
  
I. Problem Description  
**********************  
G6 FTP Server is a popular FTP server for Windows 9x/NT. A bug allows  
any user to change to the directory G6 was installed in. Due to good  
programming, the only way to exploit this bug is by viewing the full  
installation path. Downloading the user-file (Users.ini) is impossible.  
  
II. Impact  
**************  
When sending the command "CWD ..:/.." (or "cd ..:/.." in the default  
UNIX FTP client), G6 FTP will try to change to the installation  
directory, but it will give a "Forbidden" error. But when sending the   
command "DELE ..:/unexisting_file" (or typing "delete ..:/fuck_him"),  
G6 will return an error message containing the full path.  
  
Example:  
--------  
  
[t-Omicr0n@10c41b0x:~]$telnet  
telnet> open 31.3.3.7 21  
Trying 31.3.3.7...  
Connected to 31.3.3.7.  
Escape character is ''^]''.  
220 t-Omicr0n FTP Server by G6 FTP Server ready ...   
user anonymous  
331 Anonymous logins allowed. Please use full email as password.  
pass [email protected]  
230 User anonymous logged in.  
=> dele ..:/unexisting_file<newline>  
550 ''/C:/Program Files/G6 FTP Server/unexisting_file'': no such file or  
directory.  
  
  
What happens ?  
*------------*  
Due to the ":", G6 thinks you want to change to another drive. But  
because you use two characters to specify a drive (dd:/ instead of d:/),  
G6 panics and goes directly to the c:\ drive. But because you are  
already on the C drive, in the program directory to be exact, it  
changes to this directory. So now we know we are in the program  
directory. Now, if we do something wrong in the way we get an error  
with the path included, we get the full path of the program directory.  
  
Note:   
- "Show Relative Path" must be OFF (It is off by default, but some say  
it is a violation of the server''s privacy (and it looks unprofessional  
if you ask me) so some admins turn it off.)  
- BUT: Due to another bug in G6 FTP Server, when your users have to be  
able to change disks, admins have keep this off, otherwise it is  
impossible to change to another drive...  
- As far as I tested, this only works with the DELE and the RNFR  
command. The others (RETR, APPE,...) will give a 550: Permission Denied  
error without the path. But DELE is all we need. :)  
  
  
III. Solution  
*************  
There is a temporary solution. When the option "Show Relative Path" is  
checked, G6 FTP will not give out the full path.  
  
At this time, no patch is available yet.  
  
IV. Credits  
***********  
Bug discovered by t-Omicr0n <[email protected]>  
  
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,   
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,   
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone   
at #[email protected]  
  
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be  
  
`