| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080311102948.27723.qmail@s453.sureserver.com> Date: Tue, 11 Mar 2008 10:29:48 +0000 From: <titon@...tardlabs.com> To: Luigi Auriemma <aluigi@...istici.org> Cc: vuln@...unia.com, full-disclosure@...ts.grok.org.uk, packet@...ketstormsecurity.org, bugtraq@...urityfocus.com, news@...uriteam.com Subject: Re: Vulnerabilities in Timbuktu Pro 8.6.5 >#################################### > Luigi Auriemma > > Application: Timbuktu Pro Remote Control Software > [...snip...] > ------------------------------------- > B] limited upload directory traversal > ------------------------------------- > [...snip...] > Currently I have found no ways to bypass this limitation. Nice find ! But do you realize that this is public since July 07 ? If not, you may want to read this: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=589 and this http://www.milw0rm.com/exploits/4455 All you had to do was add as many "\" as you want at the beginning of the filename string. (i.e "\../../../pwn3d.exe") Also, to overwrite existing files, try to break the connection before the final "\xfe", the program will create a notepad2.exe, but then it will delete the real notepad.exe. After that, all you have to do is loop again to re-create the file with your own content. > ====== > 4) Fix > ====== > No fix I assume you contacted the vendor before disclosing this ? http://www.netopia.com/corp/contact_us.html titon. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists