lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041016102609.17319.qmail@www.securityfocus.com>
Date: 16 Oct 2004 10:26:09 -0000
From: bil <bil_912@...lgoose.com>
To: bugtraq@...urityfocus.com
Subject: Re: Directory traversal in Yak! 2.1.2


In-Reply-To: <20041015193318.3257e4eb.aluigi@...istici.org>

===========================================================================
in a previous post i reported this issue.
http://www.securityfocus.com/bid/8581/
http://cert.uni-stuttgart.de/archive/bugtraq/2003/11/msg00222.html

i'm NOT sure if the PUT commands works perfectly. coz with the versions i played with, i couldnt upload files succesfully

and a password calculator is'nt required to know the passwords. just a little sniffer would reveal the username and password clearly.
===========================================================================


>Received: (qmail 30088 invoked from network); 15 Oct 2004 19:53:23 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 15 Oct 2004 19:53:23 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing3.securityfocus.com (Postfix) with QMQP
>	id 9C45C236F8D; Fri, 15 Oct 2004 11:23:39 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 4069 invoked from network); 15 Oct 2004 11:14:25 -0000
>Date: Fri, 15 Oct 2004 19:33:18 +0000
>From: Luigi Auriemma <aluigi@...istici.org>
>To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
>	news@...uriteam.com, full-disclosure@...ts.netsys.com,
>	vuln@...unia.com
>Subject: Directory traversal in Yak! 2.1.2
>Message-Id: <20041015193318.3257e4eb.aluigi@...istici.org>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at autistici.org
>
>
>#######################################################################
>
>                             Luigi Auriemma
>
>Application:  Yak!
>              http://www.digicraft.com.au/yak/
>Versions:     <= 2.1.2
>Platforms:    Windows
>Bug:          directory traversal (upload)
>Exploitation: remote
>Date:         15 October 2004
>Author:       Luigi Auriemma
>              e-mail: aluigi@...ervista.org
>              web:    http://aluigi.altervista.org
>
>
>#######################################################################
>
>
>1) Introduction
>2) Bug
>3) The Code
>4) Fix
>
>
>#######################################################################
>
>===============
>1) Introduction
>===============
>
>
>Yak! is a serverless chat system for Windows that lets people to chat
>and to exchange files.
>
>
>#######################################################################
>
>======
>2) Bug
>======
>
>
>When the program starts it creates an username and password for each
>IP address of the computer's network interfaces.
>These login informations are needed to grant the access to the built-in
>FTP server (used only to receive files) to other Yak! hosts.
>
>The problem is just in this FTP server because the input of the clients
>is not filtered so is possible to upload files everywhere in the disk
>on which is located the upload directory of Yak! (by default the system's
>temporary folder) overwriting those existent.
>
>Naturally is also possible to see any remote directory and file (but
>seems only c: can be surfed also if the upload folder is set on another
>disk) while download is avoided by the program because it has been
>designed to receive files only.
>
>
>#######################################################################
>
>===========
>3) The Code
>===========
>
>
>Do the following operations:
>
>Download my "Yak! username and password calculator"
>http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the
>username and password to access to the FTP server of a specific Yak!
>host.
>
>Then connect to the Yak! FTP port, usually 3535:
>
> C:\>ftp
> ftp> open HOST 3535
>
>Enter the calculated username and password and upload your files like
>in the following example:
>
> dir /
> dir ../../windows/
>
> put
>   evil.exe
>   ../../windows/calc.exe
>
>(slash and backslash have the same effect)
>
>
>#######################################################################
>
>======
>4) Fix
>======
>
>
>No fix.
>Vendor has been contacted exactly one month ago but no patch is
>available.
>
>
>#######################################################################
>
>
>--- 
>Luigi Auriemma
>http://aluigi.altervista.org
>
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ