[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <702248252.20090902130016@SECURITY.NNOV.RU>
Date: Wed, 2 Sep 2009 13:00:16 +0400
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@...URITY.NNOV.RU>
To: Guido Landi <lists@...mera.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
Thierry Zoller <Thierry@...ler.lu>
Subject: Re[2]: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
Dear Guido Landi,
For DoS - yes, you can use existing file, but it's (almost) impossible
to create reliable code excution exploit since you can not (fully)
control return address, like required in JMP ESP technique used in this
exploit.
--Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 3APA3A@...URITY.NNOV.RU:
GL> no, MKDIR is *not* required, also write access is *not* required.
GL> Assuming a directory with a name that starts with "A" exists and that is
GL> at least 14 chars long, this pattern will trigger the overflow:
GL> NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n
GL> At least on win2k3. Therefore, the workarounds for kb975191 on
GL> microsoft.com are wrong.
GL> Guido Landi
GL> Vladimir '3APA3A' Dubrovin wrote:
>> Dear Thierry Zoller,
>>
>> I think yes, MKDIR is required. It should be variation of
>> S99-003/MS02-018. fuzzer should be very smart to create directory and
>> user both oversized buffer and ../ in NLST - it makes path longer than
>> MAX_PATH with existing directory.
>>
>> --Monday, August 31, 2009, 8:21:12 PM, you wrote to
>> full-disclosure@...ts.grok.org.uk:
>>
>>
>> TZ> Confirmed.
>>
>> TZ> Ask yourselves why your fuzzers haven't found that one - Combination of
>> TZ> MKDIR are required before reaching vuln code ?
>>
>>
>>
>>
>>
GL> _______________________________________________
GL> Full-Disclosure - We believe in it.
GL> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
GL> Hosted and sponsored by Secunia - http://secunia.com/
--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Есть там версии Отелло, где Дездемона душит Мавра. (Лем)
Powered by blists - more mailing lists