[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8f1f7b60711281534p554ccdb1mea0fd20826625658@mail.gmail.com>
Date: Wed, 28 Nov 2007 18:34:47 -0500
From: "Peter Dawson" <slash.pd@...il.com>
To: "Stan Bubrouski" <stan.bubrouski@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft FTP Client Multiple Bufferoverflow
Vulnerability
Yeah ..
a) "Social engineer victim to open it."
b) "Persuade victim to run the command "
is kind funky..
On Nov 28, 2007 5:21 PM, Stan Bubrouski <stan.bubrouski@...il.com> wrote:
> Not to mention the obvious fact that if you have to trick someone into
> running a batch file then you could probably just tell the genius to
> execute a special EXE you crafted for them.
>
> -sb
>
> On Nov 28, 2007 4:43 PM, dev code <devcode29@...mail.com> wrote:
> >
> > lolerowned, kinda like the 20 other non exploitable stack overflow
> > exceptions that someone else has been reporting on full disclosure
> > ________________________________
> > Date: Wed, 28 Nov 2007 09:11:30 -0600
> > From: reepex@...il.com
> > To: rajesh.sethumadhavan@...oo.com; full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
> Bufferoverflow
> > Vulnerability
> >
> >
> >
> > so... what fuzzer that you didnt code did you use to find these amazing
> > vulns?
> >
> > Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'.
> You
> > should not claim code execution when your code does not perform it.
> >
> > Well I guess it has been good talking until your fuzzer crashes another
> > application and you copy and paste the results
> >
> >
> > On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com>
> wrote:
> > Microsoft FTP Client Multiple Bufferoverflow
> > Vulnerability
> >
> > #####################################################################
> >
> > XDisclose Advisory : XD100096
> > Vulnerability Discovered: November 20th 2007
> > Advisory Reported : November 28th 2007
> > Credit : Rajesh Sethumadhavan
> >
> > Class : Buffer Overflow
> > Denial Of Service
> > Solution Status : Unpatched
> > Vendor : Microsoft Corporation
> > Affected applications : Microsoft FTP Client
> > Affected Platform : Windows 2000 server
> > Windows 2000 Professional
> > Windows XP
> > (Other Versions may be also effected)
> >
> > #####################################################################
> >
> >
> > Overview:
> > Bufferoverflow vulnerability is discovered in
> > microsoft ftp client. Attackers can crash the ftp
> > client of the victim user by tricking the user.
> >
> >
> > Description:
> > A remote attacker can craft packet with payload in the
> > "mget", "ls", "dir", "username" and "password"
> > commands as demonstrated below. When victim execute
> > POC or specially crafted packets, ftp client will
> > crash possible arbitrary code execution in contest of
> > logged in user. This vulnerability is hard to exploit
> > since it requires social engineering and shellcode has
> > to be injected as argument in vulnerable commands.
> >
> > The vulnerability is caused due to an error in the
> > Windows FTP client in validating commands like "mget",
> > "dir", "user", password and "ls"
> >
> > Exploitation method:
> >
> > Method 1:
> > -Send POC with payload to user.
> > -Social engineer victim to open it.
> >
> > Method 2:
> > -Attacker creates a directory with long folder or
> > filename in his FTP server (should be other than IIS
> > server)
> > -Persuade victim to run the command "mget", "ls" or
> > "dir" on specially crafted folder using microsoft ftp
> > client
> > -FTP client will crash and payload will get executed
> >
> >
> > Proof Of Concept:
> > http://www.xdisclose.com/poc/mget.bat.txt
> > http://www.xdisclose.com/poc/username.bat.txt
> > http://www.xdisclose.com/poc/directory.bat.txt
> > http://www.xdisclose.com/poc/list.bat.txt
> >
> > Note: Modify POC to connect to lab FTP Server
> > (As of now it will connect to
> > ftp://xdisclose.com)
> >
> > Demonstration:
> > Note: Demonstration leads to crashing of Microsoft FTP
> > Client
> >
> > Download POC rename to .bat file and execute anyone of
> > the batch file
> > http://www.xdisclose.com/poc/mget.bat.txt
> > http://www.xdisclose.com/poc/username.bat.txt
> > http://www.xdisclose.com/poc/directory.bat.txt
> > http://www.xdisclose.com/poc/list.bat.txt
> >
> >
> > Solution:
> > No Solution
> >
> > Screenshot:
> > http://www.xdisclose.com/images/msftpbof.jpg
> >
> >
> > Impact:
> > Successful exploitation may allows execution of
> > arbitrary code with privilege of currently logged in
> > user.
> >
> > Impact of the vulnerability is system level.
> >
> >
> > Original Advisory:
> > http://www.xdisclose.com/advisory/XD100096.html
> >
> > Credits:
> > Rajesh Sethumadhavan has been credited with the
> > discovery of this vulnerability
> >
> >
> > Disclaimer:
> > This entire document is strictly for educational,
> > testing and demonstrating purpose only. Modification
> > use and/or publishing this information is entirely on
> > your own risk. The exploit code/Proof Of Concept is to
> > be used on test environment only. I am not liable for
> > any direct or indirect damages caused as a result of
> > using the information or demonstrations provided in
> > any part of this advisory.
> >
> >
> >
> >
> >
> ____________________________________________________________________________________
> > Never miss a thing. Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > ________________________________
> > Connect and share in new ways with Windows Live. Connect now!
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists