exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dna-1999-002.htm

dna-1999-002.htm
Posted Dec 13, 1999
Authored by Erik Iverson | Site dragonmount.net

Dragonmount Networks Advisory - DNA1999-002 Fictional Daemon (an FTP and telnet server) contains several security problems including possible DOS attacks, probably remote execution of code, and poor logging practices. In addition, any user with write permission can retrieve or delete any file on the system, even above the root directory.

tags | remote, root
SHA-256 | f35dfe1dd5a0a5d04eff0de52b28e065943dab9688194e2f0a7b1e8f3f4c1858

dna-1999-002.htm

Change Mirror Download
<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>

<HEAD>
<META CONTENT="text/html; charset=windows-1252" HTTP-EQUIV="Content-Type">
<META NAME="GENERATOR" CONTENT="Microsoft FrontPage 4.0">
<META NAME="ProgId" CONTENT="FrontPage.Editor.Document">
<TITLE>DNA</TITLE>
<LINK TYPE="text/css" REL="stylesheet" HREF="http://www.dragonmount.net/styles.css">

<META NAME="Microsoft Border" CONTENT="tb, default"></HEAD>

<BODY><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0"><TR><TD>

<SCRIPT LANGUAGE="javascript">
function NavRollOver(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.fromElement)){oTd.bgColor="990000";}
}
function NavRollOut(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.toElement)){oTd.bgColor="003377";}
}
</SCRIPT>

<TABLE WIDTH="100%" BGCOLOR="#E0E0E0" HEIGHT="20" CELLSPACING="1" BORDER="0">
<TR>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/index.html" CLASS="topnav-link">Home</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/software/index.htm" CLASS="topnav-link">Software</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/tradewars/index.htm" CLASS="topnav-link">Tradewars</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/security/index.htm" CLASS="topnav-link">Security</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/tutorials/index.htm" CLASS="topnav-link">Tutorials</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/contact.htm" CLASS="topnav-link">Contact</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="topnav-link">Privacy</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/projects/" CLASS="topnav-link">Projects</A></TD>
<TD WIDTH="95" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.winsource.org/" CLASS="topnav-link">WinSource.org</A></TD>
<TD BGCOLOR="#003377" ALIGN="right"><A HREF="javascript:history.go(-1)"><IMG SRC="http://www.dragonmount.net/images/back.gif" WIDTH="13" HEIGHT="13" BORDER="0"></A></TD>
</TR>
</TABLE>
&nbsp;
<TABLE HEIGHT="16" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD ROWSPAN="2"><MAP NAME="FPMap0">
<AREA SHAPE="rect" COORDS="7, 3, 163, 87" HREF="http://www.dragonmount.net/"></MAP><IMG SRC="http://www.dragonmount.net/images/leftxmas.jpg" WIDTH="288" HEIGHT="145" USEMAP="http://www.dragonmount.net/security/dna/dna-1999-002.htm#FPMap0" BORDER="0"></TD>
<TD VALIGN="top" HEIGHT="36"><IMG SRC="http://www.dragonmount.net/images/right.jpg" WIDTH="258" HEIGHT="36" BORDER="0"></TD>
</TR>
<TR>
<TD VALIGN="top"><!-- - The Datacom Ad Network [http://www.datais.com] --->
<CENTER>
<IFRAME WIDTH="468" MARGINHEIGHT="0" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&lmth=iframe&chnc=true" FRAMEBORDER="no" HEIGHT="60" SCROLLING="no" MARGINWIDTH="0" BORDER="0">
<A HREF="http://ads.datais.com/ads/ad.cgi?Falcon-link1&chnc=true" TARGET="_top"><IMG ALT="Click here to visit our sponsor" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&chnc=true" BORDER="0"></A><BR>
<A HREF="http://www.datais.com/">The Datacom Ad Network</A><BR>
</IFRAME>
</CENTER>
<!-- ----------------------------------------------------></TD>
</TR>
</TABLE>
<BR>
&nbsp;

</TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><!-- msnavigation--><TD VALIGN="top">

<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="140" VALIGN="top" ALIGN="right"><!-- webbot bot="Include" u-include="../nav-sec.htm" tag="BODY" startspan -->

<P><A HREF="http://www.dragonmount.net/security/index.htm" CLASS="sec-navlinkb">Security Home</A></P>
<P><A HREF="http://www.dragonmount.net/security/dna/index.htm" CLASS="sec-navlinkb">Advisories</A></P>
<P><A HREF="http://www.dragonmount.net/security/vra/index.htm" CLASS="sec-navlinkb">Vendor Response</A>

<!-- webbot bot="Include" endspan i-checksum="39432" -->
<P>&nbsp;</TD>
<TD WIDTH="17" VALIGN="top" ALIGN="center"><IMG WIDTH="1" SRC="http://www.dragonmount.net/images/orangepixel.gif" HEIGHT="100%" BORDER="0"></TD>
<TD VALIGN="top">
<H1 CLASS="sec-H1">DNA 1999-002: Fictional Telnet/FTP Daemon</H1>
<P CLASS="sec-text">'Tis the season for DOS attacks and the like against
closed source Windows servers, especially ones of the&nbsp; telnet, ftp
and e-mail variety. Here's one more.</P>
<P CLASS="sec-H2">Vendor:</P>
<P CLASS="sec-text"><A HREF="http://www.fictional.net/" CLASS="sec">Fictional.net</A></P>
<P CLASS="sec-H2">Vendor Status:</P>
<P CLASS="sec-text"><B>December 10, 1999:</B> We notified the vendor of
the issues.</P>
<P CLASS="sec-H2">Program:</P>
<P CLASS="sec-text">Fictional Daemon (Telnet/FTP Daemon)<BR>
Version 3.1 (Possibly/Probably previous versions)</P>
<P CLASS="sec-H2">Platforms:</P>
<P CLASS="sec-text">All versions of 32-bit Windows</P>
<P CLASS="sec-H2">Risk:</P>
<P CLASS="sec-text">High</P>
<P CLASS="sec-H2">Problem:</P>
<P CLASS="sec-text">Several problems including possible DOS attacks,
probably remote execution of code, and poor logging practices. In
addition, any user with write permission can retrieve or delete any file
on the system, even above the root directory. </P>
<P CLASS="sec-H2">Solution:</P>
<P CLASS="sec-text">Users: Cease use of this program until a fix is
available from the vendor. </P>
<P CLASS="sec-text">Vendor: Do bounds checking on the CMD command. Do
better permission checking on the FTP server, including directory
transversal checking. Do not log invalid password attempts; invalid
username and the IP should suffice.</P>
<P CLASS="sec-H2">Details:</P>
<P CLASS="sec-text">1) Denial of Service: Users who are allowed Execution
privileges on the telnet server can perform a denial of service attack
against the server and machine. By using the "CMD" command,
which allows the remote execution of programs, users can send a long
string and crash the server and or machine. Send the CMD command followed
by roughly 10000 characters (multiple times in a row helps). Each one of
these "CMD" commands will spawn a DOS box on the server machine
with an invalid instruction fault. The effects of this are rather
sporadic, ranging from the Blue Screen of Death to sending the server into
"not responding" mode, thus denying connections.</P>
<P CLASS="sec-text">2) Logging practices are poor. Upon receiving a bad
username/password the combination is logged to a file in plain text. Users
with console access to the machine may retrieve this file (in the default
installation directory), but an even bigger problem with this is described
next. The reason it is bad to log these things at all, especially in plain
text, is that people who view the file will see passwords that may have
been off by one or two characters and will easily be able to guess the
user's passwords. This combined with the next vulnerability make for a bad
combination.</P>
<P CLASS="sec-text">3) It appears that even if the root is set at a
certain directory, no checking is done on either a RETR (get) or a DELE
(delete) command. Using a non-administrator account, I was able to
retrieve and delete files in the C:\ root of my file system, when I had
specified the program's installation directory as my FTP root. This is
obviously not a good thing, as users who know the name of files (e.g.,
common system files) can retrieve or delete them. This includes the log
file along with any sensitive information stored on the system.</P>
<P CLASS="sec-text">Release: December 10, 1999<BR>
<BR>
Dragonmount Networks Advisory 1999-002 [DNA-1999-002]<BR>
Erik Iverson<BR>
<A HREF="mailto:erik@dragonmount.net" CLASS="sec">erik@dragonmount.net</A><BR>
<A HREF="http://www.dragonmount.net/" CLASS="sec">http://www.dragonmount.net</A><BR>
</TD>
</TR>
</TABLE>
&nbsp;

<!-- msnavigation--></TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><TD>

<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="25"></TD>
<TD WIDTH="718">
<P CLASS="footertext" ALIGN="left"><A HREF="http://www.dragonmount.net/security/dna/dna-1999-002.htm#top" CLASS="goto">Top of page</A></P>
<P CLASS="footertext" ALIGN="center">This page was last modified Friday, December 10, 1999<BR>
Copyright 1999 Dragonmount Networks. All rights reserved.<BR>
<A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="navlink">Privacy and Usage Policy</A>.
Questions or comments? <A HREF="http://www.dragonmount.net/contact.htm" CLASS="navlink">Contact us</A>.<BR>
</TD>
</TR>
</TABLE>
<P>&nbsp;

</TD></TR><!-- msnavigation--></TABLE></BODY>

</HTML>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close