lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080311102948.27723.qmail@s453.sureserver.com>
Date: Tue, 11 Mar 2008 10:29:48 +0000
From: <titon@...tardlabs.com>
To: Luigi Auriemma <aluigi@...istici.org>
Cc: bugtraq@...urityfocus.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Re: [Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5

>####################################
>                           Luigi Auriemma
>
> Application:  Timbuktu Pro Remote Control Software
> [...snip...]
> -------------------------------------
> B] limited upload directory traversal
> -------------------------------------
> [...snip...]
> Currently I have found no ways to bypass this limitation.

Nice find ! But do you realize that this is public since July 07 ?
If not, you may want to read this:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=589
and this
http://www.milw0rm.com/exploits/4455

All you had to do was add as many "\" as you want at the beginning 
of the filename string. (i.e "\../../../pwn3d.exe")

Also, to overwrite existing files, try to break the connection 
before the final "\xfe", the program will create a notepad2.exe, 
but then it will delete the real notepad.exe. After that, all you have 
to do is loop again to re-create the file with your own content.

> ======
> 4) Fix
> ======
> No fix

I assume you contacted the vendor before disclosing this ?
http://www.netopia.com/corp/contact_us.html

titon.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ