lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <122827b90711281421u64663492jadd2b4d101d9fd45@mail.gmail.com>
Date: Wed, 28 Nov 2007 17:21:54 -0500
From: "Stan Bubrouski" <stan.bubrouski@...il.com>
To: "dev code" <devcode29@...mail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft FTP Client Multiple Bufferoverflow
	Vulnerability

Not to mention the obvious fact that if you have to trick someone into
running a batch file then you could probably just tell the genius to
execute a special EXE you crafted for them.

-sb

On Nov 28, 2007 4:43 PM, dev code <devcode29@...mail.com> wrote:
>
>  lolerowned, kinda like the 20 other non exploitable stack overflow
> exceptions that someone else has been reporting on full disclosure
> ________________________________
> Date: Wed, 28 Nov 2007 09:11:30 -0600
> From: reepex@...il.com
> To: rajesh.sethumadhavan@...oo.com; full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
>
>
> so... what fuzzer that you didnt code did you use to find these amazing
> vulns?
>
> Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'. You
> should not claim code execution when your code does not perform it.
>
> Well I guess it has been good talking until your fuzzer crashes another
> application and you copy and paste the results
>
>
> On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com> wrote:
> Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
> #####################################################################
>
> XDisclose Advisory      : XD100096
> Vulnerability Discovered: November 20th 2007
> Advisory Reported       : November 28th 2007
> Credit                  : Rajesh Sethumadhavan
>
> Class                   : Buffer Overflow
>                          Denial Of Service
> Solution Status         : Unpatched
> Vendor                  : Microsoft Corporation
> Affected applications   : Microsoft FTP Client
> Affected Platform       : Windows 2000 server
>                          Windows 2000 Professional
>                          Windows XP
>                          (Other Versions may be also effected)
>
> #####################################################################
>
>
> Overview:
> Bufferoverflow vulnerability is discovered in
> microsoft ftp client. Attackers can crash the ftp
> client of the victim user by tricking the user.
>
>
> Description:
> A remote attacker can craft packet with payload in the
> "mget", "ls", "dir", "username" and "password"
> commands as demonstrated below. When victim execute
> POC or specially crafted packets, ftp client will
> crash possible arbitrary code execution in contest of
> logged in user. This vulnerability is hard to exploit
> since it requires social engineering and shellcode has
> to be injected as argument in vulnerable commands.
>
> The vulnerability is caused due to an error in the
> Windows FTP client in validating commands like "mget",
> "dir", "user", password and "ls"
>
> Exploitation method:
>
> Method 1:
> -Send POC with payload to user.
> -Social engineer victim to open it.
>
> Method 2:
> -Attacker creates a directory with long folder or
> filename in his FTP server (should be other than IIS
> server)
> -Persuade victim to run the command "mget", "ls" or
> "dir"  on specially crafted folder using microsoft ftp
> client
> -FTP client will crash and payload will get executed
>
>
> Proof Of Concept:
> http://www.xdisclose.com/poc/mget.bat.txt
>  http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
> Note: Modify POC to connect to lab FTP Server
>      (As of now it will connect to
> ftp://xdisclose.com)
>
> Demonstration:
> Note: Demonstration leads to crashing of Microsoft FTP
> Client
>
> Download POC rename to .bat file and execute anyone of
> the batch file
> http://www.xdisclose.com/poc/mget.bat.txt
>  http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
>
> Solution:
> No Solution
>
> Screenshot:
> http://www.xdisclose.com/images/msftpbof.jpg
>
>
> Impact:
> Successful exploitation may allows execution of
> arbitrary code with privilege of currently logged in
> user.
>
> Impact of the vulnerability is system level.
>
>
> Original Advisory:
> http://www.xdisclose.com/advisory/XD100096.html
>
> Credits:
> Rajesh Sethumadhavan has been credited with the
> discovery of this vulnerability
>
>
> Disclaimer:
> This entire document is strictly for educational,
> testing and demonstrating purpose only. Modification
> use and/or publishing this information is entirely on
> your own risk. The exploit code/Proof Of Concept is to
> be used on test environment only. I am not liable for
> any direct or indirect damages caused as a result of
> using the information or demonstrations provided in
> any part of this advisory.
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ________________________________
> Connect and share in new ways with Windows Live. Connect now!
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ