COMMAND

    SmartFTP-D

SYSTEMS AFFECTED

    SmartFTP-D Server

PROBLEM

    Moritz Jodeit found a bug in the SmartFTP-D Server which will give
    an attacker  full access  to the  server, if  he has  the right to
    write  files  on  the  server.   For  every  user,  the program is
    checking if a special  Userfile exists (sample: Username=hacker  &
    Userfile=hacker.FTP_User).  If it exists, the configuration,  like
    password, rights, etc. will be read out of this file.

    The program doesn't  check for bad  characters, so by  using "..\"
    you can switch to other directorys.  If an attacker has an account
    on the machine, where he can  write files, he can use this  to get
    full access to the whole machine! Let's take this example:  Upload
    directory   is   D:\Upload   and   SmartFTP-D   is   installed  in
    D:\Program  Files\SmartFTP  Daemon.   An  attacker  would upload a
    file called exploit.FTP_User, which includes his own password  and
    the  rigths,  he  wishes  to  have.   If  he now uses the Username
    "..\..\..\..\..\Upload\exploit",  his  uploaded  Userfile  will be
    used and he can login.

SOLUTION

    Mindstorm networks  has been  informed about  this bug  and a  fix
    should be available soon.