[prev in list] [next in list] [prev in thread] [next in thread]
List: ntbugtraq
Subject: @stake Security Advisory: G6 FTP File Existence Disclosure and
From: " () stake advisories" <advisories () ATSTAKE ! COM>
Date: 2001-04-03 20:57:13
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory Notification
Advisory Name: G6 FTP File Existence Disclosure and Netbios Hash Retrieval
Release Date: 04/03/2001
Application: G6 FTP Server v2.0 exploit and example, other applications
vulnerable to Netbios hash retrieval attack.
[Note: Application has been renamed to BPFTP Server v2.10]
Platform: Microsoft Windows 9x, NT, 2000, ME
Severity: Enumeration of files and directories of the system,
Windows Netbios credentials sent over the Internet to
arbitrary hosts.
Author: Rob Beck [rbeck@atstake.com]
Vendor Status: Vendor has fixed version available for download
CVE: CAN-2001-0263, CAN-2001-0264
Reference: www.atstake.com/research/advisories/2001/a040301-1.txt
Executive Summary:
I. Gene6's G6 FTP Server fails to properly restrict access to files
outside of the ftp root directory, when using the 'size' and 'mdtm' ftp
commands, if the 'show relative paths' option is not set. These commands
can be used to gather useful information about the directory structure of
the host system.
II. Many software vendors are enabling features within their products to
take advantage of networked computers and shared resources either on a
local area network (LAN) or across the Internet. Almost all win32
applications now support the use of universal naming convention
(UNC) paths to access resources and files between machines running
Windows. Many of these application vendors fail to take into account the
security threat that arises should their features be misused or their
safeguards circumvented.
Overview:
An attacker, through the use of 'trivial' exploits, may be able to
elevate the threat level of an attack by using features in Windows
applications or service software that allow an UNC path to be
supplied. By incorporating remote share paths into their attack methods,
attackers may have the ability to force a server into creating an
out-bound connection to hostile servers. When an attempt is made to
access the remote resources, the hostile servers would be able to capture
the victim computer's credentials. These credentials could then be used
for a more critical attack on the host system.
Vendor Response:
The vendor was very responsive and has made a fixed version of the
software available within a week of being notified of the issues.
A new fixed version of the software is available, BPFTP Server v2.10
(note the software name change). It can be downloaded from:
http://www.bpftpserver.com/download.html
Advisory Reference:
http://www.atstake.com/research/advisories/2001/a040301-1.txt
** The advisory contains additional information. We encourage those
** effected by this issue to read the advisory.
**
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.
Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2001 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOso3j1ESXwDtLdMhEQJpEQCfe+A7+6/21ENQaPKbreUQYccrQ7YAn23b
pE4oQFrFeEd8/0L3+RAxrp2c
=Ngkz
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic