[24225] in bugtraq
InstantServers MiniPortal Multiple Vulnerabilities
daemon@ATHENA.MIT.EDU (Strumpf Noir Society)
Sat Feb 9 17:40:40 2002
Date: Sat, 9 Feb 2002 22:48:35 +0100
From: Strumpf Noir Society <vuln-dev@labs.secureance.com>
Reply-To: Strumpf Noir Society <vuln-dev@labs.secureance.com>
Message-ID: <13339303505.20020209224835@labs.secureance.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Strumpf Noir Society Advisories
! Public release !
<--#
-= InstantServers MiniPortal Multiple Vulnerabilities =-
Release date: Saturday, February 9, 2002
Introduction:
InstantServers' MiniPortal provides a complete solution for fast
and easy web site hosting on a Windows PC. It features a (Apache-
based) HTTP server as well as a FTP server by default.
MiniPortal is available from vendor InstantServers' website:
http://www.instantservers.com
Problem(s):
The FTP server coming with MiniPortal contains multiple
vulnerabilities which could be exploited by an attacker to obtain
user account information, read access to any file on the local HD
and which could lead to arbitrary code execution.
MiniPortal Plaintext Account and Session Data
MiniPortal stores its account information in plaintext .pwd files
in the miniportal/apache directory. Also, full login and session
data is stored plaintext in the file miniportal/mplog.txt. Through
either physical access to the system or by abusing below described
directory traversal problem, elevated privileges could be obtained
on the system in question by retrieving these files.
MiniPortal Directory Traversal Vulnerability
The FTP server supplied with MiniPortal does not properly restrict
access to files outside of the user directory. By using a 'triple
dot' notation ('.../file.ext') an attacker can break out of this
directory and obtain read access to any file on the local disk.
(This vulnerability only seems to work on WinNT/Win2k server systems,
a discussion in regards to why this is is still going on on the
vuln-dev list :)
MiniPortal Login Buffer Overflow Vulnerability
Due to improper bounds checking, a buffer overflow condition is in
existence in one of the logging routines of said FTP server. This
can be exploited by supplying the server with overly long (>4093
bytes) input at login. Besides crashing the FTP server, this can be
exploited to execute arbitrary code on the system.
(..)
Solution:
Vendor has been notified and has made version MiniPortal v1.1.6
available, which supplies fixes/workarounds for these issues.
This was tested against MiniPortal v1.1.5 on Win2k.
yadayadayada
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
