| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Nov 2007 14:46:06 +0300 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com> Cc: bugtraq@...urityfocus.com Subject: Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability Dear Rajesh Sethumadhavan, In order to exploit this vulnerability you need to force victim to run attacker-supplied BAT file. It's like forcing user to run attacker-supplied .sh script under Unix. No vulnerability here, except vulnerability in human. The second scenario is better. All you need is to force user to type more than 1000 characters (including shellcode) in filename without mistakes. You should be extremaly good social engineer... --Wednesday, November 28, 2007, 9:12:03 AM, you wrote to bugtraq@...urityfocus.com: RS> Exploitation method: RS> Method 1: RS> -Send POC with payload to user. RS> -Social engineer victim to open it. RS> Method 2: RS> -Attacker creates a directory with long folder or RS> filename in his FTP server (should be other than IIS RS> server) RS> -Persuade victim to run the command "mget", "ls" or RS> "dir" on specially crafted folder using microsoft ftp RS> client RS> -FTP client will crash and payload will get executed RS> Proof Of Concept: RS> http://www.xdisclose.com/poc/mget.bat.txt RS> http://www.xdisclose.com/poc/username.bat.txt RS> http://www.xdisclose.com/poc/directory.bat.txt RS> http://www.xdisclose.com/poc/list.bat.txt RS> Note: Modify POC to connect to lab FTP Server RS> (As of now it will connect to RS> ftp://xdisclose.com) RS> Demonstration: RS> Note: Demonstration leads to crashing of Microsoft FTP RS> Client RS> Download POC rename to .bat file and execute anyone of RS> the batch file RS> http://www.xdisclose.com/poc/mget.bat.txt RS> http://www.xdisclose.com/poc/username.bat.txt RS> http://www.xdisclose.com/poc/directory.bat.txt RS> http://www.xdisclose.com/poc/list.bat.txt RS> Solution: RS> No Solution RS> Screenshot: RS> http://www.xdisclose.com/images/msftpbof.jpg RS> Impact: RS> Successful exploitation may allows execution of RS> arbitrary code with privilege of currently logged in RS> user. RS> Impact of the vulnerability is system level. RS> Original Advisory: RS> http://www.xdisclose.com/advisory/XD100096.html RS> Credits: RS> Rajesh Sethumadhavan has been credited with the RS> discovery of this vulnerability RS> Disclaimer: RS> This entire document is strictly for educational, RS> testing and demonstrating purpose only. Modification RS> use and/or publishing this information is entirely on RS> your own risk. The exploit code/Proof Of Concept is to RS> be used on test environment only. I am not liable for RS> any direct or indirect damages caused as a result of RS> using the information or demonstrations provided in RS> any part of this advisory. RS> RS> ____________________________________________________________________________________ RS> Be a better pen pal. RS> Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ -- ~/ZARAZA http://securityvulns.com/ Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì. (Ëåì)
Powered by blists - more mailing lists