● WFTPD 3.00 R5 目录遍历/缓冲区溢出/拒绝服务. - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: lvyou (让一切随风沉默), 信区: Security
标  题: WFTPD 3.00 R5 目录遍历/缓冲区溢出/拒绝服务.
发信站: 荔园晨风BBS站 (Sun May 27 19:00:04 2001), 转信

发信人: scz (小四), 信区: Security
标  题: WFTPD 3.00 R5 目录遍历/缓冲区溢出/拒绝服务
发信站: 武汉白云黄鹤站 (2001年05月27日16:01:14 星期天), 转信

WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS

WFTPD 32-bit (X86) 3.00 R5 Directory Traversal /
Buffer Overflow / DoS

AFFECTED SYSTEMS

WFTPD 32-bit (X86) version 3.00 R5 on Windows 95 / 98
/ SE / ME is vulnerable to a directory traversal, all
versions of windows are likely to be vulnerable to the
buffer overflow / DoS

DESCRIPTION

1) Directory Traversal
(for the examples given here, I used windows' FTP.EXE
program as the client, most commands are not the ones
interpreted by the ftp server, but commands to
FTP.EXE, actually LS would be LIST, ls woul be NLST,
CD would be CWD, LS -d would be LIST -d, etc...)

WFTPD v3.00 R5 is vulnerable to a directory traversal
bug that allows remote users to browse through any
directory on the victim's harddrive. This is possible
by sending the command :

CD .../

as much as needed to go up in the directory tree then
you can map out the current directory contents via

LS

and dive into the subdirs with CD, using GET to
retrieve the files of your liking as the permissions
seem to be incorrect... I think you also have rite
access... ouchy

2) Buffer Overflow / DoS
WFTPD also contains a buffer overflow condition when
trying to map out a directory containing a very long
filename, that can be combined with our path full of
dots : an internal buffer overflow will overwrite some
registers at about 250 chars. Users that have write
access (to their home dir for example, default
permission) can create a special 'overflow' file, and
then map out the directory using LS, effectively
causing a DoS. The buffer overflow may be exploitable
and be used to gain access to the remote host.

The bug can be reproduced by placing a file with a
very long filename (about 255 chars) in the
rootdirectory, then making a homedirectory for one
user that has a filename of let's say 20 chars. Then
if the user logs in, and does something like this :

CD
.................................................................../
CD homedir
LS

or even easier :
just doing something like
CD ............../
LS
CD
.......................................................................
......
......../
LS
CD ......................................./
LS

etc... will make wftpd crash eventually, as the dots
always get appended to the buffer. I have tested this
bug on Windows 98.

I also found a similar buffer overflow (at another
place) when doing this :

MKDIR
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
CD
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
LS -d

(the homedir of the user was C:\RESTRICTED\, this also
might affect the buffer overflow results) As you can
see, here, the directory traversal bug is not needed,
hence it is likely to work under NT / 2k...

WORKAROUND

The vendor has found a workaround for the directory
traversal bug and put the following information on
their site (www.wftpd.com) :

"
5/24/2001 - Directory traversal vulnerability -
Windows 95, 98, ME.

As noted in the "What's New" section of our most
recent version, 3.00 R5, there is indeed an effect on
WFTPD's behaviour caused by the new path name
expansion code.  On Windows 95, 98, and ME, the string
"..." is understood by the operating system to mean
"up two directories" - this is not curently expanded
out in our code, and is hence passed into the
operating system, leading to the ability of a user to
venture outside of his/her restrictions, and possibly
to touch files not in accordance with defined rights.
Again, as noted in the "What's New" section of our
help file, this can be disabled by adding the entry
"GFPNMethod=0" to your WFTPD.INI file, in the
"[Server]" section.  If you do not have a "[Server]"
section, then it can be created anywhere in the file.
Do not create two sections labled "[Server]", as only
the first will be accessed.

Thanks go to joetesta for reporting this problem to
me.  Byterage also reported this problem to the
bugtraq mailing list, but did not contact me first,
which I consider to be impolite at best. Because there
is a valid workaround with no functional change, we
will not be releasing a new version of the software to
cover this vulnerability.  WFTPD and WFTPD Pro are not
vulnerable on Windows NT or 2000, either with or
without the GFPNMethod setting."

======================================================[ByteRage]
<byterage@yahoo.com> [www.byterage.cjb.net]
======================================================

--

            也许有一天，他再从海上蓬蓬的雨点中升起，
            飞向西来，再形成一道江流，再冲倒两旁的石壁，
            再来寻夹岸的桃花。然而，我不敢说来生，也不敢信来生......
※ 来源:·武汉白云黄鹤站 bbs.whnet.edu.cn·[FROM: 166.111.4.19]

--

   ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
   ┃         是什么缘份，让我们相遇的一起？生命的转折就是这么奇妙。       ┃
   ┃   惜    我们又解逅在不可预知的现在，悄然相遇是多么欢喜。        缘   ┃
   ┃         请珍惜我们彼此拥有的此刻，让我好好倾听你的细语……           ┃?
   ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.28.29]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店