Hexyn / Securax Advisory #15 - G6 FTP Full Installation Path

Topic: G6 FTP Full Installation Path
Announced: 2001-02-17
Affects: G6 FTP Server up to version 2.0

DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN  BASED  UPON   TRIAL  AND  ERROR  RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS  100%  CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT  PRIOR  NOTICE.

I. Problem Description
**********************
G6 FTP Server is a popular FTP server for Windows 9x/NT. A  bug  allows
any user to change to the directory G6 was installed in.  Due  to  good
programming, the only way to exploit this bug is by  viewing  the  full
installation path. Downloading the user-file (Users.ini) is impossible.

II. Impact
**************
When sending the command "CWD ..:/.." (or "cd ..:/.."  in  the  default
UNIX FTP client), G6  FTP  will  try  to  change  to  the  installation
directory, but it will give a "Forbidden" error. But when  sending  the 
command "DELE ..:/unexisting_file"  (or typing "delete ..:/fuck_him"),
G6 will return an error message containing the full path.

Example:
--------

[t-Omicr0n@10c41b0x:~]$telnet
telnet> open 31.3.3.7 21
Trying 31.3.3.7...
Connected to 31.3.3.7.
Escape character is ''^]''.
220 t-Omicr0n FTP Server by G6 FTP Server ready ...  
user anonymous
331 Anonymous logins allowed. Please use full email as password.
pass me@me.com
230 User anonymous logged in.
=> dele ..:/unexisting_file<newline>
550 ''/C:/Program Files/G6 FTP Server/unexisting_file'': no such file or
directory.


What happens ?
*------------*
Due to the ":", G6 thinks you want to  change  to  another  drive.  But
because you use two characters to specify a drive (dd:/ instead of d:/),
G6 panics and goes directly to the  c:\  drive.  But  because  you  are
already on the C drive, in  the  program  directory  to  be  exact,  it
changes to this directory. So  now  we  know  we  are  in  the  program
directory. Now, if we do something wrong in the way  we  get  an  error
with the path included, we get the full path of the program directory.

Note: 
- "Show Relative Path" must be OFF (It is off by default, but some say
it is a violation of the server''s privacy (and it looks unprofessional
if you ask me) so some admins turn it off.)
- BUT: Due to another bug in G6 FTP Server, when your users have to be
able to change disks, admins have keep this off, otherwise it is
impossible to change to another drive...
- As far as I tested, this only works with the DELE and the RNFR
command. The others (RETR, APPE,...) will give a 550: Permission Denied
error without the path. But DELE is all we need. :)


III. Solution
*************
There is a temporary solution. When the option "Show Relative Path"  is
checked, G6 FTP will not give out the full path.

At this time, no patch is available yet.

IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>

Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, 
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, 
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone 
at #securax@irc.hexyn.be

-- t-Omicr0n @ http://t-Omicr0n.hexyn.be