Dragonmount Networks Advisory - DNA1999-002 Fictional Daemon (an FTP and telnet server) contains several security problems including possible DOS attacks, probably remote execution of code, and poor logging practices. In addition, any user with write permission can retrieve or delete any file on the system, even above the root directory.
3a3e9fa343f2f073618efe2afd019522<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<META CONTENT="text/html; charset=windows-1252" HTTP-EQUIV="Content-Type">
<META NAME="GENERATOR" CONTENT="Microsoft FrontPage 4.0">
<META NAME="ProgId" CONTENT="FrontPage.Editor.Document">
<TITLE>DNA</TITLE>
<LINK TYPE="text/css" REL="stylesheet" HREF="http://www.dragonmount.net/styles.css">
<META NAME="Microsoft Border" CONTENT="tb, default"></HEAD>
<BODY><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0"><TR><TD>
<SCRIPT LANGUAGE="javascript">
function NavRollOver(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.fromElement)){oTd.bgColor="990000";}
}
function NavRollOut(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.toElement)){oTd.bgColor="003377";}
}
</SCRIPT>
<TABLE WIDTH="100%" BGCOLOR="#E0E0E0" HEIGHT="20" CELLSPACING="1" BORDER="0">
<TR>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/index.html" CLASS="topnav-link">Home</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/software/index.htm" CLASS="topnav-link">Software</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/tradewars/index.htm" CLASS="topnav-link">Tradewars</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/security/index.htm" CLASS="topnav-link">Security</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/tutorials/index.htm" CLASS="topnav-link">Tutorials</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/contact.htm" CLASS="topnav-link">Contact</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="topnav-link">Privacy</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/projects/" CLASS="topnav-link">Projects</A></TD>
<TD WIDTH="95" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.winsource.org/" CLASS="topnav-link">WinSource.org</A></TD>
<TD BGCOLOR="#003377" ALIGN="right"><A HREF="javascript:history.go(-1)"><IMG SRC="http://www.dragonmount.net/images/back.gif" WIDTH="13" HEIGHT="13" BORDER="0"></A></TD>
</TR>
</TABLE>
<TABLE HEIGHT="16" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD ROWSPAN="2"><MAP NAME="FPMap0">
<AREA SHAPE="rect" COORDS="7, 3, 163, 87" HREF="http://www.dragonmount.net/"></MAP><IMG SRC="http://www.dragonmount.net/images/leftxmas.jpg" WIDTH="288" HEIGHT="145" USEMAP="http://www.dragonmount.net/security/dna/dna-1999-002.htm#FPMap0" BORDER="0"></TD>
<TD VALIGN="top" HEIGHT="36"><IMG SRC="http://www.dragonmount.net/images/right.jpg" WIDTH="258" HEIGHT="36" BORDER="0"></TD>
</TR>
<TR>
<TD VALIGN="top"><!-- - The Datacom Ad Network [http://www.datais.com] --->
<CENTER>
<IFRAME WIDTH="468" MARGINHEIGHT="0" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&lmth=iframe&chnc=true" FRAMEBORDER="no" HEIGHT="60" SCROLLING="no" MARGINWIDTH="0" BORDER="0">
<A HREF="http://ads.datais.com/ads/ad.cgi?Falcon-link1&chnc=true" TARGET="_top"><IMG ALT="Click here to visit our sponsor" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&chnc=true" BORDER="0"></A><BR>
<A HREF="http://www.datais.com/">The Datacom Ad Network</A><BR>
</IFRAME>
</CENTER>
<!-- ----------------------------------------------------></TD>
</TR>
</TABLE>
<BR>
</TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><!-- msnavigation--><TD VALIGN="top">
<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="140" VALIGN="top" ALIGN="right"><!-- webbot bot="Include" u-include="../nav-sec.htm" tag="BODY" startspan -->
<P><A HREF="http://www.dragonmount.net/security/index.htm" CLASS="sec-navlinkb">Security Home</A></P>
<P><A HREF="http://www.dragonmount.net/security/dna/index.htm" CLASS="sec-navlinkb">Advisories</A></P>
<P><A HREF="http://www.dragonmount.net/security/vra/index.htm" CLASS="sec-navlinkb">Vendor Response</A>
<!-- webbot bot="Include" endspan i-checksum="39432" -->
<P> </TD>
<TD WIDTH="17" VALIGN="top" ALIGN="center"><IMG WIDTH="1" SRC="http://www.dragonmount.net/images/orangepixel.gif" HEIGHT="100%" BORDER="0"></TD>
<TD VALIGN="top">
<H1 CLASS="sec-H1">DNA 1999-002: Fictional Telnet/FTP Daemon</H1>
<P CLASS="sec-text">'Tis the season for DOS attacks and the like against
closed source Windows servers, especially ones of the telnet, ftp
and e-mail variety. Here's one more.</P>
<P CLASS="sec-H2">Vendor:</P>
<P CLASS="sec-text"><A HREF="http://www.fictional.net/" CLASS="sec">Fictional.net</A></P>
<P CLASS="sec-H2">Vendor Status:</P>
<P CLASS="sec-text"><B>December 10, 1999:</B> We notified the vendor of
the issues.</P>
<P CLASS="sec-H2">Program:</P>
<P CLASS="sec-text">Fictional Daemon (Telnet/FTP Daemon)<BR>
Version 3.1 (Possibly/Probably previous versions)</P>
<P CLASS="sec-H2">Platforms:</P>
<P CLASS="sec-text">All versions of 32-bit Windows</P>
<P CLASS="sec-H2">Risk:</P>
<P CLASS="sec-text">High</P>
<P CLASS="sec-H2">Problem:</P>
<P CLASS="sec-text">Several problems including possible DOS attacks,
probably remote execution of code, and poor logging practices. In
addition, any user with write permission can retrieve or delete any file
on the system, even above the root directory. </P>
<P CLASS="sec-H2">Solution:</P>
<P CLASS="sec-text">Users: Cease use of this program until a fix is
available from the vendor. </P>
<P CLASS="sec-text">Vendor: Do bounds checking on the CMD command. Do
better permission checking on the FTP server, including directory
transversal checking. Do not log invalid password attempts; invalid
username and the IP should suffice.</P>
<P CLASS="sec-H2">Details:</P>
<P CLASS="sec-text">1) Denial of Service: Users who are allowed Execution
privileges on the telnet server can perform a denial of service attack
against the server and machine. By using the "CMD" command,
which allows the remote execution of programs, users can send a long
string and crash the server and or machine. Send the CMD command followed
by roughly 10000 characters (multiple times in a row helps). Each one of
these "CMD" commands will spawn a DOS box on the server machine
with an invalid instruction fault. The effects of this are rather
sporadic, ranging from the Blue Screen of Death to sending the server into
"not responding" mode, thus denying connections.</P>
<P CLASS="sec-text">2) Logging practices are poor. Upon receiving a bad
username/password the combination is logged to a file in plain text. Users
with console access to the machine may retrieve this file (in the default
installation directory), but an even bigger problem with this is described
next. The reason it is bad to log these things at all, especially in plain
text, is that people who view the file will see passwords that may have
been off by one or two characters and will easily be able to guess the
user's passwords. This combined with the next vulnerability make for a bad
combination.</P>
<P CLASS="sec-text">3) It appears that even if the root is set at a
certain directory, no checking is done on either a RETR (get) or a DELE
(delete) command. Using a non-administrator account, I was able to
retrieve and delete files in the C:\ root of my file system, when I had
specified the program's installation directory as my FTP root. This is
obviously not a good thing, as users who know the name of files (e.g.,
common system files) can retrieve or delete them. This includes the log
file along with any sensitive information stored on the system.</P>
<P CLASS="sec-text">Release: December 10, 1999<BR>
<BR>
Dragonmount Networks Advisory 1999-002 [DNA-1999-002]<BR>
Erik Iverson<BR>
<A HREF="mailto:erik@dragonmount.net" CLASS="sec">erik@dragonmount.net</A><BR>
<A HREF="http://www.dragonmount.net/" CLASS="sec">http://www.dragonmount.net</A><BR>
</TD>
</TR>
</TABLE>
<!-- msnavigation--></TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><TD>
<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="25"></TD>
<TD WIDTH="718">
<P CLASS="footertext" ALIGN="left"><A HREF="http://www.dragonmount.net/security/dna/dna-1999-002.htm#top" CLASS="goto">Top of page</A></P>
<P CLASS="footertext" ALIGN="center">This page was last modified Friday, December 10, 1999<BR>
Copyright 1999 Dragonmount Networks. All rights reserved.<BR>
<A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="navlink">Privacy and Usage Policy</A>.
Questions or comments? <A HREF="http://www.dragonmount.net/contact.htm" CLASS="navlink">Contact us</A>.<BR>
</TD>
</TR>
</TABLE>
<P>
</TD></TR><!-- msnavigation--></TABLE></BODY>
</HTML>
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!