Broker FTP unauthorized directory browsing and plain text password storing

2000-11-24T00:00:00
ID SECURITYVULNS:DOC:968
Type securityvulns
Reporter Securityvulns
Modified 2000-11-24T00:00:00

Description



403-SECURITY advisory



Issue: Broker FTP unauthorized directory browsing and plain text password storing

Author: Astral [astral@403-security.org]

Discovered: 07.11.2000 Published: 22.11.2000 Version: 4.7.5.0 (others are probably vulnerable too) Vendor: TransSoft

I. Description: Broker FTP is powerful FTP server which runs on Windows platform, it is possible to administer it trough Web browser.

II. Problem: Broker FTP is vulnerable to two very dangerous attack. First one allows attacker to browse servers whole disk while second one allows attacker to fetch passwords and account information easily. Also in log files password is written (in plain-text, but it shouldn't be written in it anyway !?).

NOTE: We take no responsibility for damage caused by this example.

III. 1st problem Anyone including anonymous can browse whole server disk, very simply. Example:

Connected to 127.0.0.1. 220 FTP Server ready [***] User (127.0.0.1:(none)): anonymous 331 Password required for anonymous. Password: anything

230 User anonymous logged in.

ftp> ls x:\

where x is letter of hard drive you want to browse.

IV. 2nd problem Administrator password is stored in %%WinDir%% \BrokerProfiles.Dat in plain-text format (it could be ROT13 encrypted at least ;-) ) Other accounts and user information (rights, telephone, fax ...) are stored in %%ProgramDir%%\Data\Users in following format:

username|passwd|30.12.1899|30.12.1899|homedir||na me|fax|phone|address||0|rights|0| login message|logoff message|Maximum transfer speed

RIGHTS are stored in this format: xxxxxxxxxxx if x is 1 then user has access to that feature and if it 's 0 it doesn't. 1st number: User Can ZIP files on remote computer 2nd number: user can UNZIP files on remote server 3rd number: User can COPY files on remote server 4th number: User can EXECUTE files on remote server 5th number: User can CHANGE PASSWORD on server 6h number: User can DOWNLOAD files 7th number: User can Upload Files 8th number: User can CREATE DIRECTORIES 9th number: User can REMOVE DIRECTORIES 10th number: User can DELETE files

V. Fix Vendor has issued a new version to fix this two problems. Download: NT/2000:
http://www.transsoft.com/broker/updates/broker40nt.e xe Win95/98:
http://www.transsoft.com/broker/updates/broker40b.e xe {Vendor was extremely friendly and professional}

This advisory is RFPolicy [http://www.wiretrip.net/rfp/policy.html] compatible