COMMAND

    Broker FTP

SYSTEMS AFFECTED

    Broker FTP 4.7.5.0 (others are probably vulnerable too)

PROBLEM

    Astral [astral@403-security.org] found  following.  Broker  FTP is
    powerful FTP server which runs on Windows platform, it is possible
    to administer it trough Web browser.

    Broker FTP is vulnerable to two very dangerous attack.  First  one
    allows  attacker  to  browse  servers  whole disk while second one
    allows attacker to fetch passwords and account information easily.
    Also  in  log  files  password  is  written (in plain-text, but it
    shouldn't be written in it anyway !?).

    1st problem
    ===========
    Anyone  including  anonymous  can  browse  whole server disk, very
    simply.  Example:

        Connected to 127.0.0.1.
        220 FTP Server ready [***]
        User (127.0.0.1:(none)): anonymous
        331 Password required for anonymous.
        Password: anything

        230 User anonymous logged in.

        ftp> ls x:\

    where x is letter of hard drive you want to browse.

    2nd problem
    ===========
    Administrator password is stored in %%WinDir%% \BrokerProfiles.Dat
    in  plain-text  format  (it  could  be  ROT13 encrypted at least).
    Other accounts and user  information (rights, telephone, fax  ...)
    are stored in %%ProgramDir%%\Data\Users in following format:

        username|passwd|30.12.1899|30.12.1899|homedir||name|fax|phone|address||0|rights|0|login message|logoff message|Maximum transfer speed

    RIGHTS are stored in this format:

        xxxxxxxxxxx

    If x is 1 then user has access  to that feature and if it 's 0  it
    doesn't.

        1st number: User Can ZIP files on remote computer
        2nd number: user can UNZIP files on remote server
        3rd number: User can COPY files on remote server
        4th number: User can EXECUTE files on remote server
        5th number: User can CHANGE PASSWORD on server
        6h number: User can DOWNLOAD files
        7th number: User can Upload Files
        8th number: User can CREATE DIRECTORIES
        9th number: User can REMOVE DIRECTORIES
        10th number: User can DELETE files

SOLUTION

    Vendor  has  issued  a  new  version  to  fix  this  two problems.
    Download:

        NT/2000: http://www.transsoft.com/broker/updates/broker40nt.exe
        Win95/98: http://www.transsoft.com/broker/updates/broker40b.exe