lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <702248252.20090902130016@SECURITY.NNOV.RU>
Date: Wed, 2 Sep 2009 13:00:16 +0400
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@...URITY.NNOV.RU>
To: Guido Landi <lists@...mera.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	Thierry Zoller <Thierry@...ler.lu>
Subject: Re[2]: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

Dear Guido Landi,

For  DoS  - yes, you can use existing file, but it's (almost) impossible
to  create  reliable  code  excution  exploit  since you can not (fully)
control  return address, like required in JMP ESP technique used in this
exploit.

--Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 3APA3A@...URITY.NNOV.RU:

GL> no, MKDIR is *not* required, also write access is *not* required.

GL> Assuming a directory with a name that starts with "A" exists and that is
GL> at least 14 chars long, this pattern will trigger the overflow:


GL> NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n


GL> At least on win2k3. Therefore, the workarounds for kb975191 on
GL> microsoft.com are wrong.



GL> Guido Landi

GL> Vladimir '3APA3A' Dubrovin wrote:
>> Dear Thierry Zoller,
>> 
>> I   think   yes,   MKDIR   is   required.  It  should  be  variation  of
>> S99-003/MS02-018.  fuzzer  should  be very smart to create directory and
>> user  both  oversized buffer and ../ in NLST - it makes path longer than
>> MAX_PATH with existing directory.
>> 
>> --Monday, August 31, 2009, 8:21:12 PM, you wrote to
>> full-disclosure@...ts.grok.org.uk:
>> 
>> 
>> TZ> Confirmed.
>> 
>> TZ> Ask  yourselves why your fuzzers haven't found that one - Combination of
>> TZ> MKDIR are required before reaching vuln code ?
>> 
>> 
>> 
>> 
>> 

GL> _______________________________________________
GL> Full-Disclosure - We believe in it.
GL> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
GL> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Есть там версии Отелло, где Дездемона душит Мавра. (Лем)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ