COMMAND

    Surge FTP Server

SYSTEMS AFFECTED

    Surge FTP Server 2.0a

PROBLEM

    Following is based on  a ID0301061701 advisory provided  by Sentry
    Research  Labs  by  Siberian.   Surge  FTP  Server is a US$385 FTP
    Server Software  from Netwin,  which come  with serveral  features
    like webinterface and other intresting features

    Issue:
    1.) A simple directory  transversal bug allows listing  of normaly
        unaccessable files
    2.) FTP  allows  anybody  to  DOS  the  machine with a well  known
        con/con attack.

    Exploit:
    1.) Connect to the server with anonymous and type "nlist ..."
    2.) Connect to the server with anonymous and type cd con/con (yes,
        this is well know and works with MANY other too, but we  think
        it should be filtered).

    CON/CON is easy to avoid -  you just filter on CON/CON.   But then
    you also have to consider _every_ other DOS device name (MS  calls
    them DDNs, in KB articles  that reference them) that is,  or could
    be, on your system.  CLOCK$, for instance, can be used instead  of
    CON, as can AUX, PRN, LPT1-9, etc, etc.

SOLUTION

    Update to ver 2.0b available form www.netwinsite.com/surgeftp.