| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Nov 2007 00:25:38 +0000
From: admin@...heco-family.net
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 33, Issue 52
/****
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: full-disclosure-request@...ts.grok.org.uk
Date: Wed, 28 Nov 2007 23:56:50
To:full-disclosure@...ts.grok.org.uk
Subject: Full-Disclosure Digest, Vol 33, Issue 52
Send Full-Disclosure mailing list submissions to
full-disclosure@...ts.grok.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@...ts.grok.org.uk
You can reach the person managing the list at
full-disclosure-owner@...ts.grok.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.
Today's Topics:
1. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (Tonnerre Lombard)
2. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (KJK::Hyperion)
3. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (Tonnerre Lombard)
4. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (reepex)
5. Secunia Research: Symantec Backup Exec Job Engine Denial of
Service (Secunia Research)
6. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (Valdis.Kletnieks@...edu)
7. [ MDKSA-2007:232 ] - Updated kernel packages fix multiple
vulnerabilities and bugs (security@...driva.com)
8. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (dev code)
9. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (Stan Bubrouski)
10. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer
overflow and directory traversal vulnerabilities
(security@...driva.com)
11. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer
overflow and directory traversal vulnerabilities
(security@...driva.com)
12. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (Peter Dawson)
13. Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability (reepex)
----------------------------------------------------------------------
Message: 1
Date: Wed, 28 Nov 2007 12:44:11 +0100
From: Tonnerre Lombard <tonnerre.lombard@...roup.ch>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <20071128124411.7c0e55a4@...yg114.sygroup-int.ch>
Content-Type: text/plain; charset="iso-8859-1"
Salut,
On Wed, 28 Nov 2007 12:05:24 +0100 "KJK::Hyperion" <hackbunny@...tpj.org> wrote:
> Rajesh Sethumadhavan ha scritto:
> > Microsoft FTP Client Multiple Bufferoverflow
> > Vulnerability
>
> Isn't the FTP client compiled with stack overflow protection?
If so, how is that supposed to help?
Tonnerre
--
SyGroup GmbH
Tonnerre Lombard
Solutions Systematiques
Tel:+41 61 333 80 33 G?terstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Web:www.sygroup.ch tonnerre.lombard@...roup.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 824 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/495fddbb/attachment-0001.bin
------------------------------
Message: 2
Date: Wed, 28 Nov 2007 13:16:34 +0100
From: "KJK::Hyperion" <hackbunny@...tpj.org>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <474D5C22.2080608@...tpj.org>
Content-Type: text/plain; charset=ISO-8859-1
Tonnerre Lombard ha scritto:
>>> Microsoft FTP Client Multiple Bufferoverflow
>>> Vulnerability
>> Isn't the FTP client compiled with stack overflow protection?
> If so, how is that supposed to help?
By terminating the program before the payload is executed
------------------------------
Message: 3
Date: Wed, 28 Nov 2007 15:49:34 +0100
From: Tonnerre Lombard <tonnerre.lombard@...roup.ch>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <20071128154934.29ad2810@...yg114.sygroup-int.ch>
Content-Type: text/plain; charset="iso-8859-1"
Salut,
On Wed, 28 Nov 2007 13:16:34 +0100 "KJK::Hyperion" <hackbunny@...tpj.org> wrote:
> Tonnerre Lombard ha scritto:
> >>> Microsoft FTP Client Multiple Bufferoverflow
> >>> Vulnerability
> >> Isn't the FTP client compiled with stack overflow protection?
> > If so, how is that supposed to help?
>
> By terminating the program before the payload is executed
May I suggest that this protection is not perfect? I was hoping that
people on this mailing list consider this to be an established fact.
Tonnerre
--
SyGroup GmbH
Tonnerre Lombard
Solutions Systematiques
Tel:+41 61 333 80 33 G?terstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Web:www.sygroup.ch tonnerre.lombard@...roup.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 824 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/70c9c965/attachment-0001.bin
------------------------------
Message: 4
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex <reepex@...il.com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: "Rajesh Sethumadhavan" <rajesh.sethumadhavan@...oo.com>,
full-disclosure@...ts.grok.org.uk
Message-ID:
<e9d9d4020711280711v61ee588djd829a935e0e61152@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
so... what fuzzer that you didnt code did you use to find these amazing
vulns?
Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You
should not claim code execution when your code does not perform it.
Well I guess it has been good talking until your fuzzer crashes another
application and you copy and paste the results
On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com> wrote:
>
> Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
> #####################################################################
>
> XDisclose Advisory : XD100096
> Vulnerability Discovered: November 20th 2007
> Advisory Reported : November 28th 2007
> Credit : Rajesh Sethumadhavan
>
> Class : Buffer Overflow
> Denial Of Service
> Solution Status : Unpatched
> Vendor : Microsoft Corporation
> Affected applications : Microsoft FTP Client
> Affected Platform : Windows 2000 server
> Windows 2000 Professional
> Windows XP
> (Other Versions may be also effected)
>
> #####################################################################
>
>
> Overview:
> Bufferoverflow vulnerability is discovered in
> microsoft ftp client. Attackers can crash the ftp
> client of the victim user by tricking the user.
>
>
> Description:
> A remote attacker can craft packet with payload in the
> "mget", "ls", "dir", "username" and "password"
> commands as demonstrated below. When victim execute
> POC or specially crafted packets, ftp client will
> crash possible arbitrary code execution in contest of
> logged in user. This vulnerability is hard to exploit
> since it requires social engineering and shellcode has
> to be injected as argument in vulnerable commands.
>
> The vulnerability is caused due to an error in the
> Windows FTP client in validating commands like "mget",
> "dir", "user", password and "ls"
>
> Exploitation method:
>
> Method 1:
> -Send POC with payload to user.
> -Social engineer victim to open it.
>
> Method 2:
> -Attacker creates a directory with long folder or
> filename in his FTP server (should be other than IIS
> server)
> -Persuade victim to run the command "mget", "ls" or
> "dir" on specially crafted folder using microsoft ftp
> client
> -FTP client will crash and payload will get executed
>
>
> Proof Of Concept:
> http://www.xdisclose.com/poc/mget.bat.txt
> http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
> Note: Modify POC to connect to lab FTP Server
> (As of now it will connect to
> ftp://xdisclose.com)
>
> Demonstration:
> Note: Demonstration leads to crashing of Microsoft FTP
> Client
>
> Download POC rename to .bat file and execute anyone of
> the batch file
> http://www.xdisclose.com/poc/mget.bat.txt
> http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
>
> Solution:
> No Solution
>
> Screenshot:
> http://www.xdisclose.com/images/msftpbof.jpg
>
>
> Impact:
> Successful exploitation may allows execution of
> arbitrary code with privilege of currently logged in
> user.
>
> Impact of the vulnerability is system level.
>
>
> Original Advisory:
> http://www.xdisclose.com/advisory/XD100096.html
>
> Credits:
> Rajesh Sethumadhavan has been credited with the
> discovery of this vulnerability
>
>
> Disclaimer:
> This entire document is strictly for educational,
> testing and demonstrating purpose only. Modification
> use and/or publishing this information is entirely on
> your own risk. The exploit code/Proof Of Concept is to
> be used on test environment only. I am not liable for
> any direct or indirect damages caused as a result of
> using the information or demonstrations provided in
> any part of this advisory.
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/cb276e93/attachment-0001.html
------------------------------
Message: 5
Date: Wed, 28 Nov 2007 10:43:42 +0100
From: Secunia Research <remove-vuln@...unia.com>
Subject: [Full-disclosure] Secunia Research: Symantec Backup Exec Job
Engine Denial of Service
To: full-disclosure@...ts.grok.org.uk
Message-ID: <1196243023.25960.307.camel@....intnet>
Content-Type: text/plain
======================================================================
Secunia Research 28/11/2007
- Symantec Backup Exec Job Engine Denial of Service -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Symantec Backup Exec for Windows Servers version 11d (11.0 rev 7170)
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Less Critical
Impact: Denial of Service
Where: Local network
======================================================================
3) Vendor's Description of Software
Symantec Backup Exec 11d for Windows Servers is the gold standard in
Windows data recovery, providing cost-effective, high-performance, and
certified disk-to-disk-to-tape backup and recovery?with available
continuous data protection for Microsoft Exchange, SQL, file servers,
and workstations. High-performance agents and options provide fast,
flexible, granular protection and recovery, and scalable management of
local and remote server backups."
Product Link:
http://www.symantec.com/business/products/overview.jsp?pcid=2244&pvid=57_1
======================================================================
4) Description of Vulnerability
Secunia Research has discovered some vulnerabilities in Symantec
Backup Exec for Windows Servers, which can be exploited by malicious
people to cause a DoS (Denial of Service).
1) A NULL-pointer dereference error in the Backup Exec Job Engine
service (bengine.exe) when handling exceptions can be exploited to
crash the service by sending a specially crafted packet to default
port 5633/TCP.
2) Two integer overflow errors within the Backup Exec Job Engine
service can be exploited to e.g. cause the service to enter an
infinite loop and exhaust all available memory or consume large
amounts of CPU resource by sending a specially crafted packet to
default port 5633/TCP.
======================================================================
5) Solution
Apply hotfixes.
Build 11.0.6235:
http://support.veritas.com/docs/294241
Build 11.0.7170:
http://support.veritas.com/docs/294237
======================================================================
6) Time Table
02/10/2007 - Vendor notified.
02/10/2007 - Vendor replied.
28/11/2007 - Public disclosure.
======================================================================
7) Credits
Discovered by JJ Reyes, Secunia Research.
======================================================================
8) References
SYM07-029:
http://securityresponse.symantec.com/avcenter/security/Content/2007.11.27.html
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2007-4346 (NULL pointer dereference error) and CVE-2007-4347
(integer overflows) for the vulnerabilities.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://corporate.secunia.com/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://corporate.secunia.com/secunia_research/33/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/secunia_vacancies/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-74/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
------------------------------
Message: 6
Date: Wed, 28 Nov 2007 12:27:14 -0500
From: Valdis.Kletnieks@...edu
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: "KJK::Hyperion" <hackbunny@...tpj.org>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <20490.1196270834@...ing-police.cc.vt.edu>
Content-Type: text/plain; charset="us-ascii"
On Wed, 28 Nov 2007 12:05:24 +0100, "KJK::Hyperion" said:
> Rajesh Sethumadhavan ha scritto:
> > Microsoft FTP Client Multiple Bufferoverflow
> > Vulnerability
>
> Isn't the FTP client compiled with stack overflow protection?
Not all buffers live on the stack.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/c18cf28e/attachment-0001.bin
------------------------------
Message: 7
Date: Wed, 28 Nov 2007 13:46:27 -0700
From: security@...driva.com
Subject: [Full-disclosure] [ MDKSA-2007:232 ] - Updated kernel
packages fix multiple vulnerabilities and bugs
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1IxTnf-0003M2-Q8@...emis.annvix.ca>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2007:232
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kernel
Date : November 28, 2007
Affected: 2008.0
_______________________________________________________________________
Problem Description:
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The minix filesystem code allows local users to cause a denial of
service (hang) via a malformed minix file stream (CVE-2006-6058).
An integer underflow in the Linux kernel prior to 2.6.23 allows remote
attackers to cause a denial of service (crash) via a crafted SKB length
value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
flag is set (CVE-2007-4997).
To update your kernel, please follow the directions located at:
http://www.mandriva.com/en/security/kernelupdate
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
5c1343b5d8ffdced8a3976f204f51525 2008.0/i586/kernel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
35d9b9d32b2dea3ced31c287dc48e7b5 2008.0/i586/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
a0f6e8a00bcb369f60b42eda0a31e9a4 2008.0/i586/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
a2be11654f2b06d0579b6a3f5272c31a 2008.0/i586/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
4ac1c0d45cd643dbea927050e0a4010a 2008.0/i586/kernel-desktop-latest-2.6.22.12-1mdv2008.0.i586.rpm
beac61f42065285b3b2f34212d52d8d0 2008.0/i586/kernel-desktop586-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
eb5bc9029a09d92870d1b2e33410eadd 2008.0/i586/kernel-desktop586-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
cb9ff0a7902a734e7f1378c46d2e024e 2008.0/i586/kernel-desktop586-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
5640e6c9846abf1cffdbba58517bc4f3 2008.0/i586/kernel-desktop586-latest-2.6.22.12-1mdv2008.0.i586.rpm
f47fc0edd34149905ec9c979b365ea1e 2008.0/i586/kernel-doc-2.6.22.12-1mdv2008.0.i586.rpm
4281e10a6a2ea8d0eec91e5d4c7f4a97 2008.0/i586/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
bf0cdddc00747ca1eac97596d110b2b0 2008.0/i586/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
d8901cba80555234b45b7291966232f7 2008.0/i586/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
fc3f4e82c13a8fe0a3d7c138a4242523 2008.0/i586/kernel-laptop-latest-2.6.22.12-1mdv2008.0.i586.rpm
4471d2e11e5814d6b00a92203eb624fd 2008.0/i586/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
3fd2a0f03031e55e1fd688f18a111909 2008.0/i586/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
60bebc8c572331ea54da8e2f2003d184 2008.0/i586/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
3603a84dec2dd525aee503face0f5466 2008.0/i586/kernel-server-latest-2.6.22.12-1mdv2008.0.i586.rpm
0fdee78f39eb58e8ed656dc746247805 2008.0/i586/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
68e878051bf3584e2544382ffe685d4f 2008.0/i586/kernel-source-latest-2.6.22.12-1mdv2008.0.i586.rpm
666ec61a6b9f117b3a991bc0163b66a2 2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
8a4670ea37e195b450780c65c1e848e1 2008.0/x86_64/kernel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
d423ea385be4e43c2e3662faf02ec952 2008.0/x86_64/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
24d0752af597feb7d7df1ef0412010a4 2008.0/x86_64/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
61932b1d0078387f5212919776940e62 2008.0/x86_64/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
fff4298a795775460b87f2fe0b757d10 2008.0/x86_64/kernel-desktop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
a32ef6a87dc4a8dd28b6a83b810de9ff 2008.0/x86_64/kernel-doc-2.6.22.12-1mdv2008.0.x86_64.rpm
80b7e690f462eaf2993595afd70c9de0 2008.0/x86_64/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
7f6df46dd7a05574c001527a3341b28d 2008.0/x86_64/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
efa087282b33923c354846909ec1585c 2008.0/x86_64/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
a24374352a24ce5c9e9fbfaf9c7f130d 2008.0/x86_64/kernel-laptop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
7a078712aea92dc7ce3f36288e6126e8 2008.0/x86_64/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
53876a6ab82a4eabecb97be39a256d9b 2008.0/x86_64/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
bc7dc1b24b0acf0f0a4c819a765bd6f6 2008.0/x86_64/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
915a90d1b7dfd1f1b443d77191d90dad 2008.0/x86_64/kernel-server-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
7b9728978473981add1ab6f95272a3ac 2008.0/x86_64/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
e5e79acce294760ba2250590efffbcb1 2008.0/x86_64/kernel-source-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
666ec61a6b9f117b3a991bc0163b66a2 2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHTalKmqjQ0CJFipgRAmuMAKC5vYuP+GWkDtVgvHdlonswXNInPACgt14z
xMNG7xobmmz9u/fFFl77ZFw=
=+r4e
-----END PGP SIGNATURE-----
------------------------------
Message: 8
Date: Wed, 28 Nov 2007 21:43:56 +0000
From: dev code <devcode29@...mail.com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: reepex <reepex@...il.com>, Rajesh Sethumadhavan
<rajesh.sethumadhavan@...oo.com>, <full-disclosure@...ts.grok.org.uk>
Message-ID: <BAY120-W6DF5E0453F3F1C567924FBE770@....gbl>
Content-Type: text/plain; charset="iso-8859-1"
lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex@...il.com
To: rajesh.sethumadhavan@...oo.com; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
so... what fuzzer that you didnt code did you use to find these amazing vulns?
Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your code does not perform it.
Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results
On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com> wrote:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability
#####################################################################
XDisclose Advisory : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported : November 28th 2007
Credit : Rajesh Sethumadhavan
Class : Buffer Overflow
Denial Of Service
Solution Status : Unpatched
Vendor : Microsoft Corporation
Affected applications : Microsoft FTP Client
Affected Platform : Windows 2000 server
Windows 2000 Professional
Windows XP
(Other Versions may be also effected)
#####################################################################
Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.
Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.
The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"
Exploitation method:
Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.
Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir" on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed
Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt
Note: Modify POC to connect to lab FTP Server
(As of now it will connect to
ftp://xdisclose.com)
Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client
Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt
Solution:
No Solution
Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg
Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.
Impact of the vulnerability is system level.
Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html
Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability
Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/587fa595/attachment-0001.html
------------------------------
Message: 9
Date: Wed, 28 Nov 2007 17:21:54 -0500
From: "Stan Bubrouski" <stan.bubrouski@...il.com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: "dev code" <devcode29@...mail.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<122827b90711281421u64663492jadd2b4d101d9fd45@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Not to mention the obvious fact that if you have to trick someone into
running a batch file then you could probably just tell the genius to
execute a special EXE you crafted for them.
-sb
On Nov 28, 2007 4:43 PM, dev code <devcode29@...mail.com> wrote:
>
> lolerowned, kinda like the 20 other non exploitable stack overflow
> exceptions that someone else has been reporting on full disclosure
> ________________________________
> Date: Wed, 28 Nov 2007 09:11:30 -0600
> From: reepex@...il.com
> To: rajesh.sethumadhavan@...oo.com; full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
>
>
> so... what fuzzer that you didnt code did you use to find these amazing
> vulns?
>
> Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You
> should not claim code execution when your code does not perform it.
>
> Well I guess it has been good talking until your fuzzer crashes another
> application and you copy and paste the results
>
>
> On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com> wrote:
> Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
> #####################################################################
>
> XDisclose Advisory : XD100096
> Vulnerability Discovered: November 20th 2007
> Advisory Reported : November 28th 2007
> Credit : Rajesh Sethumadhavan
>
> Class : Buffer Overflow
> Denial Of Service
> Solution Status : Unpatched
> Vendor : Microsoft Corporation
> Affected applications : Microsoft FTP Client
> Affected Platform : Windows 2000 server
> Windows 2000 Professional
> Windows XP
> (Other Versions may be also effected)
>
> #####################################################################
>
>
> Overview:
> Bufferoverflow vulnerability is discovered in
> microsoft ftp client. Attackers can crash the ftp
> client of the victim user by tricking the user.
>
>
> Description:
> A remote attacker can craft packet with payload in the
> "mget", "ls", "dir", "username" and "password"
> commands as demonstrated below. When victim execute
> POC or specially crafted packets, ftp client will
> crash possible arbitrary code execution in contest of
> logged in user. This vulnerability is hard to exploit
> since it requires social engineering and shellcode has
> to be injected as argument in vulnerable commands.
>
> The vulnerability is caused due to an error in the
> Windows FTP client in validating commands like "mget",
> "dir", "user", password and "ls"
>
> Exploitation method:
>
> Method 1:
> -Send POC with payload to user.
> -Social engineer victim to open it.
>
> Method 2:
> -Attacker creates a directory with long folder or
> filename in his FTP server (should be other than IIS
> server)
> -Persuade victim to run the command "mget", "ls" or
> "dir" on specially crafted folder using microsoft ftp
> client
> -FTP client will crash and payload will get executed
>
>
> Proof Of Concept:
> http://www.xdisclose.com/poc/mget.bat.txt
> http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
> Note: Modify POC to connect to lab FTP Server
> (As of now it will connect to
> ftp://xdisclose.com)
>
> Demonstration:
> Note: Demonstration leads to crashing of Microsoft FTP
> Client
>
> Download POC rename to .bat file and execute anyone of
> the batch file
> http://www.xdisclose.com/poc/mget.bat.txt
> http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
>
> Solution:
> No Solution
>
> Screenshot:
> http://www.xdisclose.com/images/msftpbof.jpg
>
>
> Impact:
> Successful exploitation may allows execution of
> arbitrary code with privilege of currently logged in
> user.
>
> Impact of the vulnerability is system level.
>
>
> Original Advisory:
> http://www.xdisclose.com/advisory/XD100096.html
>
> Credits:
> Rajesh Sethumadhavan has been credited with the
> discovery of this vulnerability
>
>
> Disclaimer:
> This entire document is strictly for educational,
> testing and demonstrating purpose only. Modification
> use and/or publishing this information is entirely on
> your own risk. The exploit code/Proof Of Concept is to
> be used on test environment only. I am not liable for
> any direct or indirect damages caused as a result of
> using the information or demonstrations provided in
> any part of this advisory.
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ________________________________
> Connect and share in new ways with Windows Live. Connect now!
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
------------------------------
Message: 10
Date: Wed, 28 Nov 2007 15:42:26 -0700
From: security@...driva.com
Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package
fixes buffer overflow and directory traversal vulnerabilities
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1IxVbu-0003g6-5Q@...emis.annvix.ca>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2007:233
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cpio
Date : November 28, 2007
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.0:
88af30721a848b5fd4b3e26c5c055846 2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm
250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
fc1e32f7b528997237b392b1c1da9c3c 2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm
250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm
Mandriva Linux 2007.1:
0814f474aa054b2b7fc92af6e1f5ba01 2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm
7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
851d9793b6f791817bc76b558f8fdd5b 2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm
7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm
Mandriva Linux 2008.0:
a6747328c665be64979fee53f3878fdb 2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm
de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
953e95a47bb9a978aa1b98e1c7f56e65 2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm
de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm
Corporate 3.0:
4dfe1f2b387d396eca07927d65a77ce4 corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm
10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm
Corporate 3.0/X86_64:
dc91afd2f8c7b93a95b898cc9a98182a corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm
10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm
Corporate 4.0:
79936c67409d3889d7988fecfde649b5 corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm
593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
a32dd1c2fcb89b32dacd9c7f5d56acd7 corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm
593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
3abab72dae445f67c65d58f975f8816c mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm
2a1e733d240e05b2771c135ebcbca4d4 mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHTcLbmqjQ0CJFipgRAge8AJ97m1vvl9hCXMm1D3Hf2ClJYpJVsgCgld5b
HziHEhmvMccwc97yrLEj3ps=
=QhpI
-----END PGP SIGNATURE-----
------------------------------
Message: 11
Date: Wed, 28 Nov 2007 16:19:53 -0700
From: security@...driva.com
Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package
fixes buffer overflow and directory traversal vulnerabilities
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1IxWC9-000406-PP@...emis.annvix.ca>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2007:233
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cpio
Date : November 28, 2007
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Buffer overflow in the safer_name_suffix function in GNU cpio
has unspecified attack vectors and impact, resulting in a crashing
stack. This problem is originally found in tar, but affects cpio too,
due to similar code fragments. (CVE-2007-4476)
Directory traversal vulnerability in cpio 2.6 and earlier allows remote
attackers to write to arbitrary directories via a .. (dot dot) in a
cpio file. This is an old issue, affecting only Mandriva Corporate
Server 4 and Mandriva Linux 2007. (CVE-2005-1229)
Updated package fixes these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.0:
88af30721a848b5fd4b3e26c5c055846 2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm
250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
fc1e32f7b528997237b392b1c1da9c3c 2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm
250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm
Mandriva Linux 2007.1:
0814f474aa054b2b7fc92af6e1f5ba01 2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm
7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
851d9793b6f791817bc76b558f8fdd5b 2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm
7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm
Mandriva Linux 2008.0:
a6747328c665be64979fee53f3878fdb 2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm
de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
953e95a47bb9a978aa1b98e1c7f56e65 2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm
de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm
Corporate 3.0:
4dfe1f2b387d396eca07927d65a77ce4 corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm
10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm
Corporate 3.0/X86_64:
dc91afd2f8c7b93a95b898cc9a98182a corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm
10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm
Corporate 4.0:
79936c67409d3889d7988fecfde649b5 corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm
593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
a32dd1c2fcb89b32dacd9c7f5d56acd7 corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm
593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
3abab72dae445f67c65d58f975f8816c mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm
2a1e733d240e05b2771c135ebcbca4d4 mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHTfdRmqjQ0CJFipgRAiBcAJ9lW2Xb2u2NBqtF/Gfl90DlD3yXLgCg1atN
gTm4NWlU7BE5H/nvQQzHhgU=
=Fg/j
-----END PGP SIGNATURE-----
------------------------------
Message: 12
Date: Wed, 28 Nov 2007 18:34:47 -0500
From: "Peter Dawson" <slash.pd@...il.com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: "Stan Bubrouski" <stan.bubrouski@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<8f1f7b60711281534p554ccdb1mea0fd20826625658@...l.gmail.com>
Content-Type: text/plain; charset="utf-8"
Yeah ..
a) "Social engineer victim to open it."
b) "Persuade victim to run the command "
is kind funky..
On Nov 28, 2007 5:21 PM, Stan Bubrouski <stan.bubrouski@...il.com> wrote:
> Not to mention the obvious fact that if you have to trick someone into
> running a batch file then you could probably just tell the genius to
> execute a special EXE you crafted for them.
>
> -sb
>
> On Nov 28, 2007 4:43 PM, dev code <devcode29@...mail.com> wrote:
> >
> > lolerowned, kinda like the 20 other non exploitable stack overflow
> > exceptions that someone else has been reporting on full disclosure
> > ________________________________
> > Date: Wed, 28 Nov 2007 09:11:30 -0600
> > From: reepex@...il.com
> > To: rajesh.sethumadhavan@...oo.com; full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
> Bufferoverflow
> > Vulnerability
> >
> >
> >
> > so... what fuzzer that you didnt code did you use to find these amazing
> > vulns?
> >
> > Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'.
> You
> > should not claim code execution when your code does not perform it.
> >
> > Well I guess it has been good talking until your fuzzer crashes another
> > application and you copy and paste the results
> >
> >
> > On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com>
> wrote:
> > Microsoft FTP Client Multiple Bufferoverflow
> > Vulnerability
> >
> > #####################################################################
> >
> > XDisclose Advisory : XD100096
> > Vulnerability Discovered: November 20th 2007
> > Advisory Reported : November 28th 2007
> > Credit : Rajesh Sethumadhavan
> >
> > Class : Buffer Overflow
> > Denial Of Service
> > Solution Status : Unpatched
> > Vendor : Microsoft Corporation
> > Affected applications : Microsoft FTP Client
> > Affected Platform : Windows 2000 server
> > Windows 2000 Professional
> > Windows XP
> > (Other Versions may be also effected)
> >
> > #####################################################################
> >
> >
> > Overview:
> > Bufferoverflow vulnerability is discovered in
> > microsoft ftp client. Attackers can crash the ftp
> > client of the victim user by tricking the user.
> >
> >
> > Description:
> > A remote attacker can craft packet with payload in the
> > "mget", "ls", "dir", "username" and "password"
> > commands as demonstrated below. When victim execute
> > POC or specially crafted packets, ftp client will
> > crash possible arbitrary code execution in contest of
> > logged in user. This vulnerability is hard to exploit
> > since it requires social engineering and shellcode has
> > to be injected as argument in vulnerable commands.
> >
> > The vulnerability is caused due to an error in the
> > Windows FTP client in validating commands like "mget",
> > "dir", "user", password and "ls"
> >
> > Exploitation method:
> >
> > Method 1:
> > -Send POC with payload to user.
> > -Social engineer victim to open it.
> >
> > Method 2:
> > -Attacker creates a directory with long folder or
> > filename in his FTP server (should be other than IIS
> > server)
> > -Persuade victim to run the command "mget", "ls" or
> > "dir" on specially crafted folder using microsoft ftp
> > client
> > -FTP client will crash and payload will get executed
> >
> >
> > Proof Of Concept:
> > http://www.xdisclose.com/poc/mget.bat.txt
> > http://www.xdisclose.com/poc/username.bat.txt
> > http://www.xdisclose.com/poc/directory.bat.txt
> > http://www.xdisclose.com/poc/list.bat.txt
> >
> > Note: Modify POC to connect to lab FTP Server
> > (As of now it will connect to
> > ftp://xdisclose.com)
> >
> > Demonstration:
> > Note: Demonstration leads to crashing of Microsoft FTP
> > Client
> >
> > Download POC rename to .bat file and execute anyone of
> > the batch file
> > http://www.xdisclose.com/poc/mget.bat.txt
> > http://www.xdisclose.com/poc/username.bat.txt
> > http://www.xdisclose.com/poc/directory.bat.txt
> > http://www.xdisclose.com/poc/list.bat.txt
> >
> >
> > Solution:
> > No Solution
> >
> > Screenshot:
> > http://www.xdisclose.com/images/msftpbof.jpg
> >
> >
> > Impact:
> > Successful exploitation may allows execution of
> > arbitrary code with privilege of currently logged in
> > user.
> >
> > Impact of the vulnerability is system level.
> >
> >
> > Original Advisory:
> > http://www.xdisclose.com/advisory/XD100096.html
> >
> > Credits:
> > Rajesh Sethumadhavan has been credited with the
> > discovery of this vulnerability
> >
> >
> > Disclaimer:
> > This entire document is strictly for educational,
> > testing and demonstrating purpose only. Modification
> > use and/or publishing this information is entirely on
> > your own risk. The exploit code/Proof Of Concept is to
> > be used on test environment only. I am not liable for
> > any direct or indirect damages caused as a result of
> > using the information or demonstrations provided in
> > any part of this advisory.
> >
> >
> >
> >
> >
> ____________________________________________________________________________________
> > Never miss a thing. Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > ________________________________
> > Connect and share in new ways with Windows Live. Connect now!
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/20532e89/attachment-0001.html
------------------------------
Message: 13
Date: Wed, 28 Nov 2007 17:56:41 -0600
From: reepex <reepex@...il.com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow Vulnerability
To: "Peter Dawson" <slash.pd@...il.com>,
full-disclosure@...ts.grok.org.uk
Message-ID:
<e9d9d4020711281556g6baf8a8xe228611349b6afb5@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
woah woah watch your words
many people on fd make their career based on 1) and 2) so dont diss them
unless you want to start an e-war
On 11/28/07, Peter Dawson <slash.pd@...il.com> wrote:
>
> Yeah ..
>
> a) "Social engineer victim to open it."
> b) "Persuade victim to run the command "
>
> is kind funky..
>
> On Nov 28, 2007 5:21 PM, Stan Bubrouski < stan.bubrouski@...il.com> wrote:
>
> > Not to mention the obvious fact that if you have to trick someone into
> > running a batch file then you could probably just tell the genius to
> > execute a special EXE you crafted for them.
> >
> > -sb
> >
> > On Nov 28, 2007 4:43 PM, dev code < devcode29@...mail.com> wrote:
> > >
> > > lolerowned, kinda like the 20 other non exploitable stack overflow
> > > exceptions that someone else has been reporting on full disclosure
> > > ________________________________
> > > Date: Wed, 28 Nov 2007 09:11:30 -0600
> > > From: reepex@...il.com
> > > To: rajesh.sethumadhavan@...oo.com ; full-disclosure@...ts.grok.org.uk
> > > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
> > Bufferoverflow
> > > Vulnerability
> > >
> > >
> > >
> > > so... what fuzzer that you didnt code did you use to find these
> > amazing
> > > vulns?
> > >
> > > Also nice 'payload' in your exploits meaning 'nice long lists of
> > "a"s'. You
> > > should not claim code execution when your code does not perform it.
> > >
> > > Well I guess it has been good talking until your fuzzer crashes
> > another
> > > application and you copy and paste the results
> > >
> > >
> > > On 11/28/07, Rajesh Sethumadhavan < rajesh.sethumadhavan@...oo.com>
> > wrote:
> > > Microsoft FTP Client Multiple Bufferoverflow
> > > Vulnerability
> > >
> > > #####################################################################
> > >
> > > XDisclose Advisory : XD100096
> > > Vulnerability Discovered: November 20th 2007
> > > Advisory Reported : November 28th 2007
> > > Credit : Rajesh Sethumadhavan
> > >
> > > Class : Buffer Overflow
> > > Denial Of Service
> > > Solution Status : Unpatched
> > > Vendor : Microsoft Corporation
> > > Affected applications : Microsoft FTP Client
> > > Affected Platform : Windows 2000 server
> > > Windows 2000 Professional
> > > Windows XP
> > > (Other Versions may be also effected)
> > >
> > > #####################################################################
> > >
> > >
> > > Overview:
> > > Bufferoverflow vulnerability is discovered in
> > > microsoft ftp client. Attackers can crash the ftp
> > > client of the victim user by tricking the user.
> > >
> > >
> > > Description:
> > > A remote attacker can craft packet with payload in the
> > > "mget", "ls", "dir", "username" and "password"
> > > commands as demonstrated below. When victim execute
> > > POC or specially crafted packets, ftp client will
> > > crash possible arbitrary code execution in contest of
> > > logged in user. This vulnerability is hard to exploit
> > > since it requires social engineering and shellcode has
> > > to be injected as argument in vulnerable commands.
> > >
> > > The vulnerability is caused due to an error in the
> > > Windows FTP client in validating commands like "mget",
> > > "dir", "user", password and "ls"
> > >
> > > Exploitation method:
> > >
> > > Method 1:
> > > -Send POC with payload to user.
> > > -Social engineer victim to open it.
> > >
> > > Method 2:
> > > -Attacker creates a directory with long folder or
> > > filename in his FTP server (should be other than IIS
> > > server)
> > > -Persuade victim to run the command "mget", "ls" or
> > > "dir" on specially crafted folder using microsoft ftp
> > > client
> > > -FTP client will crash and payload will get executed
> > >
> > >
> > > Proof Of Concept:
> > > http://www.xdisclose.com/poc/mget.bat.txt
> > > http://www.xdisclose.com/poc/username.bat.txt
> > > http://www.xdisclose.com/poc/directory.bat.txt
> > > http://www.xdisclose.com/poc/list.bat.txt
> > >
> > > Note: Modify POC to connect to lab FTP Server
> > > (As of now it will connect to
> > > ftp://xdisclose.com)
> > >
> > > Demonstration:
> > > Note: Demonstration leads to crashing of Microsoft FTP
> > > Client
> > >
> > > Download POC rename to .bat file and execute anyone of
> > > the batch file
> > > http://www.xdisclose.com/poc/mget.bat.txt
> > > http://www.xdisclose.com/poc/username.bat.txt
> > > http://www.xdisclose.com/poc/directory.bat.txt
> > > http://www.xdisclose.com/poc/list.bat.txt
> > >
> > >
> > > Solution:
> > > No Solution
> > >
> > > Screenshot:
> > > http://www.xdisclose.com/images/msftpbof.jpg
> > >
> > >
> > > Impact:
> > > Successful exploitation may allows execution of
> > > arbitrary code with privilege of currently logged in
> > > user.
> > >
> > > Impact of the vulnerability is system level.
> > >
> > >
> > > Original Advisory:
> > > http://www.xdisclose.com/advisory/XD100096.html
> > >
> > > Credits:
> > > Rajesh Sethumadhavan has been credited with the
> > > discovery of this vulnerability
> > >
> > >
> > > Disclaimer:
> > > This entire document is strictly for educational,
> > > testing and demonstrating purpose only. Modification
> > > use and/or publishing this information is entirely on
> > > your own risk. The exploit code/Proof Of Concept is to
> > > be used on test environment only. I am not liable for
> > > any direct or indirect damages caused as a result of
> > > using the information or demonstrations provided in
> > > any part of this advisory.
> > >
> > >
> > >
> > >
> > >
> > ____________________________________________________________________________________
> > > Never miss a thing. Make Yahoo your home page.
> > > http://www.yahoo.com/r/hs
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> > > ________________________________
> > > Connect and share in new ways with Windows Live. Connect now!
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/f63ff9a4/attachment.html
------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 33, Issue 52
***********************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists