[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Broker FTP unauthorized directory browsing

Title: Broker FTP unauthorized directory browsing
Released by: 403-security
Date: 22nd November 2000
Printable version: Click here 
**********************************************************

***********

403-SECURITY advisory

**********************************************************

***********



Issue: Broker FTP unauthorized directory browsing 

and plain text password storing



Author: Astral [astral@403-security.org]



Discovered: 07.11.2000

Published: 22.11.2000

Version: 4.7.5.0 (others are probably vulnerable too)

Vendor: TransSoft



I. Description:

Broker FTP is powerful FTP server which runs on 

Windows platform, it is

possible to administer it trough Web browser.



II. Problem:

Broker FTP is vulnerable to two very dangerous 

attack. First one allows attacker

to browse servers whole disk while second one 

allows attacker to fetch passwords

and account information easily. 

Also in log files password is written (in plain-text, but 

it shouldn't be written 

in it anyway !?).



NOTE: We take no responsibility for damage caused 

by this example.



III. 1st problem

Anyone including anonymous can browse whole 

server disk, very simply.

Example:



Connected to 127.0.0.1.

220 FTP Server ready [***]

User (127.0.0.1:(none)): anonymous

331 Password required for anonymous.

Password: anything



230 User anonymous logged in.



ftp> ls x:\



where x is letter of hard drive you want to browse.



IV. 2nd problem

Administrator password is stored in %%WinDir%%

\BrokerProfiles.Dat in plain-text format 

(it could be ROT13 encrypted at least ;-) )

Other accounts and user information (rights, 

telephone, fax ...) are stored in

%%ProgramDir%%\Data\Users in following format:



username|passwd|30.12.1899|30.12.1899|homedir||na

me|fax|phone|address||0|rights|0|

login message|logoff message|Maximum transfer 

speed



RIGHTS are stored in this format:

xxxxxxxxxxx

if x is 1 then user has access to that feature and if 

it 's 0 it doesn't.

1st number: User Can ZIP files on remote computer

2nd number: user can UNZIP files on remote server

3rd number: User can COPY files on remote server

4th number: User can EXECUTE files on remote 

server

5th number: User can CHANGE PASSWORD on 

server

6h number: User can DOWNLOAD files

7th number: User can Upload Files

8th number: User can CREATE DIRECTORIES

9th number: User can REMOVE DIRECTORIES

10th number: User can DELETE files



V. Fix

Vendor has issued a new version to fix this two 

problems.

Download:

NT/2000:    

http://www.transsoft.com/broker/updates/broker40nt.e

xe

Win95/98:   

http://www.transsoft.com/broker/updates/broker40b.e

xe

{Vendor was extremely friendly and professional}



This advisory is RFPolicy

[http://www.wiretrip.net/rfp/policy.html] compatible






(C) 1999-2000 All rights reserved.