|
PROBLEM: Administrator user control option is flawed and could allow root access, through a malformed command. PLATFORM: Texas Imperial Software WFTPD 3.0Pro - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 Pro - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 DAMAGE: A remote attacker could compromise the system if Winsock FTPd has been installed on the same partition/drive as root. SOLUTION: Apply the upgrades as specified.
VULNERABILITY The risk is HIGH. The vulnerability has been been publicly ASSESSMENT: announced.
[****** Begin SecurityFocus Advisory ******] bugtraq id 2005 class Access Validation Error cve GENERIC-MAP-NOMATCH remote Yes local Yes published November 27, 2000 updated November 29, 2000 vulnerable Texas Imperial Software WFTPD 3.0Pro - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 Pro - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Winsock FTPd is a popular FTP server from Texas Imperial Software. A vulnerability exists in Winsock FTPd that could allow an unauthorized user to browse the root directory of the drive where Winsock FTPd has been installed. During install, Winsock FTPd allows the administrator to "Restrict to home directory and below" effectively creating a chroot jail for users. Upon logging in, a user can pass a the server a malformed change directory request that will allow any user (including anonymous) to browse the root directory and possibly retrieve/write files to the root directory on which Winsock FTPd resides. Upon connecting to the Winsock FTPd server, a user could issue the command: cd ../../ This will normally result in the message "User is not allowed to ../../" and will be returned to their chroot jail directory. If the user issues the following command: cd /../.. they will not receive the "User is not allowed to" message and will change directory to root on the drive or partition where Winsock FTPd has been installed. If the administrator has installed Winsock FTPd on the same drive or partition that contains the operating system, a remote attacker could gain access to systems files, password files, etc. that could lead to a complete system compromise. The vendor has issued the following upgrades that fix this vulnerability: Texas Imperial Software WFTPD 3.0Pro: Texas Imperial Software upgrade protr300.zip http://www.wftpd.com/downloads/protr300.zip Texas Imperial Software WFTPD 2.41RC14 Pro: Texas Imperial Software upgrade 32wfd241.zip http://www.wftpd.com/downloads/32wfd241.zip Texas Imperial Software WFTPD 2.41RC14: Texas Imperial Software upgrade wftpd241.zip http://www.wftpd.com/downloads/wftpd241.zip credit This vulnerability was first reported to Bugtraq on November 27, 2000 by Interstellar Overdrivereference message: Vulnerability in Winsock FTPD 2.41/3.00 (Pro) (Interstellar Overdrive ) web page: Texas Imperial Software Downloads (Texas Imperial Software) http://www.securityfocus.com/bid/2005 disclaimer Privacy Statement Copyright (c) 1999-2000 SecurityFocus.com [****** End SecurityFocus Advisory ******]
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov World Wide Web: http://www.ciac.org/ http://ciac.llnl.gov (same machine -- either one will work) Anonymous FTP: ftp.ciac.org ciac.llnl.gov (same machine -- either one will work)