I found a bug in the SmartFTP-D Server which will give an attacker full
access to the server, if he has the right to write files on the server. For
every user, the program is checking if a special Userfile exists (Sample:
Username=hacker & Userfile=hacker.FTP_User). If it exists, the configuration,
like password, rights, etc. will be read out of this file. The program doesn't
check for bad characters, so by using "..\" you can switch to other
directorys. If an attacker has an account on the machine, where he can write files,
he can use this to get full access to the whole machine! Let's take this
example: Upload directory is D:\Upload and SmartFTP-D is installed in
D:\Program Files\SmartFTP Daemon. An attacker would upload a file called
exploit.FTP_User, which includes his own password and the rigths, he wishes to have. If
he now uses the Username "..\..\..\..\..\Upload\exploit", his uploaded
Userfile will be used and he can login.

mindstorm networks has been informed about this bug and a fix should be
available soon. Until they will release a fix, you can get my unofficial
HotFix at my homepage, which will implement the missing check-function for bad
characters in the Username.

-Moritz

--
Moritz Jodeit
http://jodeit.cjb.net