SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   WFTP Vendors:   Texas Imperial Software
WFTPD FTP Server Discloses Any File on the Server to Remote Users that Have Write Privileges on the Server
SecurityTracker Alert ID:  1001888
SecurityTracker URL:  http://securitytracker.com/id/1001888
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jul 2 2001
Original Entry Date:  Jul 2 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): v3.00 R5
Description:   A vulnerability has been reported in WFTPD that allows remote users with write privileges on the FTP server to download any files from the server that are located on the same drive as the FTP server's home directory.

A remote user with write privileges to at least some directory on the FTP server can upload a Windows shortcut file (.lnk) containing a shortcut to a file located anywhere on the FTP server's drive using the following format:

PUT \local.lnk remote.lnk.

The remote user can then download the remote.lnk. file, which will cause the FTP server to follow the shortcut. The WFTPD server reportedly blocks the uploading of Windows shortcut files. However, the trailing dot '.' causes the FTP server to fail to recognize that it is a Windows shortcut file.

The vendor has reportedly been notified.
Impact:   A remote user with write privileges on the FTP server can download any files from the FTP server located on the same drive as the FTP home directory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.wftpd.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Sun, 1 Jul 2001 06:32:54 -0700
Subject:  WFTPD v3.00 R5 Directory Traversal


WFTPD v3.00 R5 Directory Traversal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AFFECTED SYSTEMS

WFTPD v3.00 R5

DESCRIPTION

Let's quote the manual on how the *.lnk feature is
supposed to work :

"File Security
Note that since version 2.40, [...] WFTPD handles
shortcuts [...] if a user lists a directory that
contains .LNK files (shortcuts), they will see those
file names (without the ".LNK" extension) followed by
an arrow "->" and the path to the file that the
shortcut references (if that path is available to the
user).  If a link points to a directory, the user must
have some rights to access that directory in order to
follow the link.  If a link points to a file, the
user will have the same access to the file as they
would to any other file in the directory containing
the link.  This is an important point - by placing a
link to a "secured" file into an "unsecured"
directory, the file is essentially no longer secured.
Deleting or renaming a link through the FTP server
deletes or renames only the shortcut, not the item
pointed to.

[...], there is a danger that someone may (if allowed
to) upload a LNK file that contains a shortcut to a
protected area of your disk, and thereby download
private information.  To prevent this, we have
disallowed any method we know of through the FTP
interface to be able to create LNK files.  You will no
longer be able to upload files with an extension
".LNK", and you will not be able to rename files
through WFTPD to have a .LNK extension (unless those
files already have a .LNK extension).  We are aware
that this places some limits on legitimate .LNK files
(such as link input files for developers), but we
believe that the ability to access shortcuts is
important enough to take this protective action."

well such a scenario is possible, by sending the
following command :

PUT \local.lnk remote.lnk.

So basically we just need to append a dot to the lnk
filename to fool WFTPD into accepting a *.lnk file,
and we can traverse the homedirectory.

IMPACT
users with write permissions can traverse directories

VENDOR STATUS
I have contacted Alun Jones <alun@texis.com>

=======================================================
[ByteRage] <byterage@yahoo.com> [www.byterage.cjb.net]
=======================================================

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC