Title: Gene6 BPFTP FTP Server User Credentials Disclosure Vulnerability
Severity: HIGH
Description:
G6 FTP Server now known as BPFTP Server is an internet FTP server by Gene6.
BPFTP Server supports the use of UNC shares. UNC shares are a way for users to identify shared resources, '//' or '\\' specifies the server and '/' or '\' reveals the path to the shared resource. A UNC name format is structed similar to this: \\server\share\path\filename
A flaw in BPFTP Server could allow a user to lead the server into disclosing the credentials of the user the server is running under.
If a logged in FTP user connects to an external share and submits a malformed 'size' or 'mdtm' command, the user could force the FTP server to make an external SMB connection to a host of his choice. A likely connection would be to a malicious host expecting the connection. In order for the server to successfully connect to the host, the server would have to provide the login credentials of the user the server is running under. A password hash is sent across the external connection to the host. This information could easily be captured by a third party network utility listening for internal and external traffic on the host. The captured password hash could be resolved into the username and password.
If an attacker successfully exploited this vulnerability it could assist in further attacks against the host, and possibly lead to complete comprimise of the host.
Affected Products:
- Gene6 G6 FTP Server 2.0.0
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
