COMMAND

    G6 FTP

SYSTEMS AFFECTED

    G6 FTP Server up to version 2.0

PROBLEM

    Following is based on a Hexyn/Securax Advisory #15.  G6 FTP Server
    is a popular FTP server for Windows 9x/NT.  A bug allows any  user
    to change  to the  directory G6  was installed  in.   Due to  good
    programming, the only  way to exploit  this bug is  by viewing the
    full installation path.  Downloading the user-file (Users.ini)  is
    impossible.

    When  sending  the  command  "CWD  ..:/.."  (or "cd ..:/.." in the
    default  UNIX  FTP  client),  G6  FTP  will  try  to change to the
    installation directory, but it will give a "Forbidden" error.  But
    when  sending  the  command  "DELE ..:/unexisting_file" (or typing
    "delete ..:/fuck_him"), G6 will return an error message containing
    the full path.

        [t-Omicr0n@10c41b0x:~]$telnet
        telnet> open 31.3.3.7 21
        Trying 31.3.3.7...
        Connected to 31.3.3.7.
        Escape character is '^]'.
        220 t-Omicr0n FTP Server by G6 FTP Server ready ...
        user anonymous
        331 Anonymous logins allowed. Please use full email as password.
        pass me@me.com
        230 User anonymous logged in.
        => dele ..:/unexisting_file<newline>
        550 '/C:/Program Files/G6 FTP Server/unexisting_file': no such file or
        directory.

    Due to the  ":", G6 thinks  you want to  change to another  drive.
    But  because  you  use  two  characters  to  specify a drive (dd:/
    instead of  d:/), G6  panics and  goes directly  to the c:\ drive.
    But  because  you  are  already  on  the  C  drive, in the program
    directory to be exact,  it changes to this  directory.  So now  we
    know we are  in the program  directory.  Now,  if we do  something
    wrong in the way  we get an error  with the path included,  we get
    the full path of the program directory.

    - "Show Relative Path" must be OFF (It is off by default, but some
      say it  is a  violation of  the server's  privacy so some admins
      turn it off.)
    - BUT: Due to another bug  in G6 FTP Server, when your  users have
      to be able to change disks, admins have keep this off, otherwise
      it is impossible to change to another drive...
    - As far  as tested, this  only works with  the DELE and  the RNFR
      command.   The  others  (RETR,   APPE,...)  will  give  a   550:
      Permission Denied error  without the path.   But DELE is  all we
      need.

SOLUTION

    There  is  a  temporary  solution.  When the option "Show Relative
    Path" is checked, G6 FTP will not give out the full path.  At this
    time, no patch is available yet.