Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: win5087.htm

MiniPortal FTP remote compromise
11th Feb 2002 [SBWID-5087]

	MiniPortal remote compromise


	MiniPortal v1.1.5 on Win2k


	Strumpf Noir Society [] says :

	The FTP server coming with MiniPortal contains multiple  vulnerabilities
	which  could  be  exploited  by  an  attacker  to  obtain  user  account
	information, read access to any file on the local  HD  and  which  could
	lead to arbitrary code execution.

	MiniPortal Plaintext Account and Session Data


	MiniPortal stores its account information in  plaintext  .pwd  files  in
	the miniportal/apache directory. Also, full login and  session  data  is
	stored  plaintext  in  the  file  miniportal/mplog.txt.  Through  either
	physical access to the system or by abusing  below  described  directory
	traversal problem, elevated privileges could be obtained on  the  system
	in question by retrieving these files.

	MiniPortal Directory Traversal Vulnerability


	The FTP server supplied  with  MiniPortal  does  not  properly  restrict
	access to files outside of the  user  directory.  By  using  a  \'triple
	dot\' notation (\'.../file.ext\') an attacker  can  break  out  of  this
	directory and obtain read access to any file on the  local  disk.  (This
	vulnerability only seems to work on WinNT/Win2k server systems)

	MiniPortal Login Buffer Overflow Vulnerability


	Due to improper bounds checking,  a  buffer  overflow  condition  is  in
	existence in one of the logging routines of said FTP  server.  This  can
	be exploited by supplying the server  with  overly  long  (>4093  bytes)
	input at login. Besides crashing the FTP server, this can  be  exploited
	to execute arbitrary code on the system.


	Update to MiniPortal v1.1.6 :


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH