Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 33, Issue 52
From: admin () pacheco-family net
Date: Thu, 29 Nov 2007 00:25:38 +0000
/**** Sent via BlackBerry from T-Mobile -----Original Message----- From: full-disclosure-request () lists grok org uk Date: Wed, 28 Nov 2007 23:56:50 To:full-disclosure () lists grok org uk Subject: Full-Disclosure Digest, Vol 33, Issue 52 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (Tonnerre Lombard) 2. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (KJK::Hyperion) 3. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (Tonnerre Lombard) 4. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (reepex) 5. Secunia Research: Symantec Backup Exec Job Engine Denial of Service (Secunia Research) 6. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (Valdis.Kletnieks () vt edu) 7. [ MDKSA-2007:232 ] - Updated kernel packages fix multiple vulnerabilities and bugs (security () mandriva com) 8. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (dev code) 9. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (Stan Bubrouski) 10. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer overflow and directory traversal vulnerabilities (security () mandriva com) 11. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer overflow and directory traversal vulnerabilities (security () mandriva com) 12. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (Peter Dawson) 13. Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability (reepex) ---------------------------------------------------------------------- Message: 1 Date: Wed, 28 Nov 2007 12:44:11 +0100 From: Tonnerre Lombard <tonnerre.lombard () sygroup ch> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: full-disclosure () lists grok org uk Message-ID: <20071128124411.7c0e55a4 () wssyg114 sygroup-int ch> Content-Type: text/plain; charset="iso-8859-1" Salut, On Wed, 28 Nov 2007 12:05:24 +0100 "KJK::Hyperion" <hackbunny () s0ftpj org> wrote:
Rajesh Sethumadhavan ha scritto:Microsoft FTP Client Multiple Bufferoverflow VulnerabilityIsn't the FTP client compiled with stack overflow protection?
If so, how is that supposed to help? Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 G?terstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 824 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/495fddbb/attachment-0001.bin ------------------------------ Message: 2 Date: Wed, 28 Nov 2007 13:16:34 +0100 From: "KJK::Hyperion" <hackbunny () s0ftpj org> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: full-disclosure () lists grok org uk Message-ID: <474D5C22.2080608 () s0ftpj org> Content-Type: text/plain; charset=ISO-8859-1 Tonnerre Lombard ha scritto:
Microsoft FTP Client Multiple Bufferoverflow VulnerabilityIsn't the FTP client compiled with stack overflow protection?If so, how is that supposed to help?
By terminating the program before the payload is executed ------------------------------ Message: 3 Date: Wed, 28 Nov 2007 15:49:34 +0100 From: Tonnerre Lombard <tonnerre.lombard () sygroup ch> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: full-disclosure () lists grok org uk Message-ID: <20071128154934.29ad2810 () wssyg114 sygroup-int ch> Content-Type: text/plain; charset="iso-8859-1" Salut, On Wed, 28 Nov 2007 13:16:34 +0100 "KJK::Hyperion" <hackbunny () s0ftpj org> wrote:
Tonnerre Lombard ha scritto:Microsoft FTP Client Multiple Bufferoverflow VulnerabilityIsn't the FTP client compiled with stack overflow protection?If so, how is that supposed to help?By terminating the program before the payload is executed
May I suggest that this protection is not perfect? I was hoping that people on this mailing list consider this to be an established fact. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 G?terstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 824 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/70c9c965/attachment-0001.bin ------------------------------ Message: 4 Date: Wed, 28 Nov 2007 09:11:30 -0600 From: reepex <reepex () gmail com> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: "Rajesh Sethumadhavan" <rajesh.sethumadhavan () yahoo com>, full-disclosure () lists grok org uk Message-ID: <e9d9d4020711280711v61ee588djd829a935e0e61152 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" so... what fuzzer that you didnt code did you use to find these amazing vulns? Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com> wrote:
Microsoft FTP Client Multiple Bufferoverflow Vulnerability ##################################################################### XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) ##################################################################### Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the "mget", "ls", "dir", "username" and "password" commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like "mget", "dir", "user", password and "ls" Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command "mget", "ls" or "dir" on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/cb276e93/attachment-0001.html ------------------------------ Message: 5 Date: Wed, 28 Nov 2007 10:43:42 +0100 From: Secunia Research <remove-vuln () secunia com> Subject: [Full-disclosure] Secunia Research: Symantec Backup Exec Job Engine Denial of Service To: full-disclosure () lists grok org uk Message-ID: <1196243023.25960.307.camel@ts2.intnet> Content-Type: text/plain ====================================================================== Secunia Research 28/11/2007 - Symantec Backup Exec Job Engine Denial of Service - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Symantec Backup Exec for Windows Servers version 11d (11.0 rev 7170) NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Less Critical Impact: Denial of Service Where: Local network ====================================================================== 3) Vendor's Description of Software Symantec Backup Exec 11d for Windows Servers is the gold standard in Windows data recovery, providing cost-effective, high-performance, and certified disk-to-disk-to-tape backup and recovery?with available continuous data protection for Microsoft Exchange, SQL, file servers, and workstations. High-performance agents and options provide fast, flexible, granular protection and recovery, and scalable management of local and remote server backups." Product Link: http://www.symantec.com/business/products/overview.jsp?pcid=2244&pvid=57_1 ====================================================================== 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in Symantec Backup Exec for Windows Servers, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) A NULL-pointer dereference error in the Backup Exec Job Engine service (bengine.exe) when handling exceptions can be exploited to crash the service by sending a specially crafted packet to default port 5633/TCP. 2) Two integer overflow errors within the Backup Exec Job Engine service can be exploited to e.g. cause the service to enter an infinite loop and exhaust all available memory or consume large amounts of CPU resource by sending a specially crafted packet to default port 5633/TCP. ====================================================================== 5) Solution Apply hotfixes. Build 11.0.6235: http://support.veritas.com/docs/294241 Build 11.0.7170: http://support.veritas.com/docs/294237 ====================================================================== 6) Time Table 02/10/2007 - Vendor notified. 02/10/2007 - Vendor replied. 28/11/2007 - Public disclosure. ====================================================================== 7) Credits Discovered by JJ Reyes, Secunia Research. ====================================================================== 8) References SYM07-029: http://securityresponse.symantec.com/avcenter/security/Content/2007.11.27.html The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2007-4346 (NULL pointer dereference error) and CVE-2007-4347 (integer overflows) for the vulnerabilities. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-74/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== ------------------------------ Message: 6 Date: Wed, 28 Nov 2007 12:27:14 -0500 From: Valdis.Kletnieks () vt edu Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: "KJK::Hyperion" <hackbunny () s0ftpj org> Cc: full-disclosure () lists grok org uk Message-ID: <20490.1196270834 () turing-police cc vt edu> Content-Type: text/plain; charset="us-ascii" On Wed, 28 Nov 2007 12:05:24 +0100, "KJK::Hyperion" said:
Rajesh Sethumadhavan ha scritto:Microsoft FTP Client Multiple Bufferoverflow VulnerabilityIsn't the FTP client compiled with stack overflow protection?
Not all buffers live on the stack. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/c18cf28e/attachment-0001.bin ------------------------------ Message: 7 Date: Wed, 28 Nov 2007 13:46:27 -0700 From: security () mandriva com Subject: [Full-disclosure] [ MDKSA-2007:232 ] - Updated kernel packages fix multiple vulnerabilities and bugs To: full-disclosure () lists grok org uk Message-ID: <E1IxTnf-0003M2-Q8 () artemis annvix ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:232 http://www.mandriva.com/security/ _______________________________________________________________________ Package : kernel Date : November 28, 2007 Affected: 2008.0 _______________________________________________________________________ Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The minix filesystem code allows local users to cause a denial of service (hang) via a malformed minix file stream (CVE-2006-6058). An integer underflow in the Linux kernel prior to 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set (CVE-2007-4997). To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 5c1343b5d8ffdced8a3976f204f51525 2008.0/i586/kernel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm 35d9b9d32b2dea3ced31c287dc48e7b5 2008.0/i586/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm a0f6e8a00bcb369f60b42eda0a31e9a4 2008.0/i586/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm a2be11654f2b06d0579b6a3f5272c31a 2008.0/i586/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm 4ac1c0d45cd643dbea927050e0a4010a 2008.0/i586/kernel-desktop-latest-2.6.22.12-1mdv2008.0.i586.rpm beac61f42065285b3b2f34212d52d8d0 2008.0/i586/kernel-desktop586-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm eb5bc9029a09d92870d1b2e33410eadd 2008.0/i586/kernel-desktop586-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm cb9ff0a7902a734e7f1378c46d2e024e 2008.0/i586/kernel-desktop586-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm 5640e6c9846abf1cffdbba58517bc4f3 2008.0/i586/kernel-desktop586-latest-2.6.22.12-1mdv2008.0.i586.rpm f47fc0edd34149905ec9c979b365ea1e 2008.0/i586/kernel-doc-2.6.22.12-1mdv2008.0.i586.rpm 4281e10a6a2ea8d0eec91e5d4c7f4a97 2008.0/i586/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm bf0cdddc00747ca1eac97596d110b2b0 2008.0/i586/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm d8901cba80555234b45b7291966232f7 2008.0/i586/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm fc3f4e82c13a8fe0a3d7c138a4242523 2008.0/i586/kernel-laptop-latest-2.6.22.12-1mdv2008.0.i586.rpm 4471d2e11e5814d6b00a92203eb624fd 2008.0/i586/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm 3fd2a0f03031e55e1fd688f18a111909 2008.0/i586/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm 60bebc8c572331ea54da8e2f2003d184 2008.0/i586/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm 3603a84dec2dd525aee503face0f5466 2008.0/i586/kernel-server-latest-2.6.22.12-1mdv2008.0.i586.rpm 0fdee78f39eb58e8ed656dc746247805 2008.0/i586/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm 68e878051bf3584e2544382ffe685d4f 2008.0/i586/kernel-source-latest-2.6.22.12-1mdv2008.0.i586.rpm 666ec61a6b9f117b3a991bc0163b66a2 2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 8a4670ea37e195b450780c65c1e848e1 2008.0/x86_64/kernel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm d423ea385be4e43c2e3662faf02ec952 2008.0/x86_64/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm 24d0752af597feb7d7df1ef0412010a4 2008.0/x86_64/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm 61932b1d0078387f5212919776940e62 2008.0/x86_64/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm fff4298a795775460b87f2fe0b757d10 2008.0/x86_64/kernel-desktop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm a32ef6a87dc4a8dd28b6a83b810de9ff 2008.0/x86_64/kernel-doc-2.6.22.12-1mdv2008.0.x86_64.rpm 80b7e690f462eaf2993595afd70c9de0 2008.0/x86_64/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm 7f6df46dd7a05574c001527a3341b28d 2008.0/x86_64/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm efa087282b33923c354846909ec1585c 2008.0/x86_64/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm a24374352a24ce5c9e9fbfaf9c7f130d 2008.0/x86_64/kernel-laptop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm 7a078712aea92dc7ce3f36288e6126e8 2008.0/x86_64/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm 53876a6ab82a4eabecb97be39a256d9b 2008.0/x86_64/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm bc7dc1b24b0acf0f0a4c819a765bd6f6 2008.0/x86_64/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm 915a90d1b7dfd1f1b443d77191d90dad 2008.0/x86_64/kernel-server-latest-2.6.22.12-1mdv2008.0.x86_64.rpm 7b9728978473981add1ab6f95272a3ac 2008.0/x86_64/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm e5e79acce294760ba2250590efffbcb1 2008.0/x86_64/kernel-source-latest-2.6.22.12-1mdv2008.0.x86_64.rpm 666ec61a6b9f117b3a991bc0163b66a2 2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHTalKmqjQ0CJFipgRAmuMAKC5vYuP+GWkDtVgvHdlonswXNInPACgt14z xMNG7xobmmz9u/fFFl77ZFw= =+r4e -----END PGP SIGNATURE----- ------------------------------ Message: 8 Date: Wed, 28 Nov 2007 21:43:56 +0000 From: dev code <devcode29 () hotmail com> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: reepex <reepex () gmail com>, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com>, <full-disclosure () lists grok org uk> Message-ID: <BAY120-W6DF5E0453F3F1C567924FBE770 () phx gbl> Content-Type: text/plain; charset="iso-8859-1" lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure Date: Wed, 28 Nov 2007 09:11:30 -0600 From: reepex () gmail com To: rajesh.sethumadhavan () yahoo com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability so... what fuzzer that you didnt code did you use to find these amazing vulns? Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com> wrote: Microsoft FTP Client Multiple Bufferoverflow Vulnerability ##################################################################### XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) ##################################################################### Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the "mget", "ls", "dir", "username" and "password" commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like "mget", "dir", "user", password and "ls" Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command "mget", "ls" or "dir" on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________ Connect and share in new ways with Windows Live. http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/587fa595/attachment-0001.html ------------------------------ Message: 9 Date: Wed, 28 Nov 2007 17:21:54 -0500 From: "Stan Bubrouski" <stan.bubrouski () gmail com> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: "dev code" <devcode29 () hotmail com> Cc: full-disclosure () lists grok org uk Message-ID: <122827b90711281421u64663492jadd2b4d101d9fd45 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Not to mention the obvious fact that if you have to trick someone into running a batch file then you could probably just tell the genius to execute a special EXE you crafted for them. -sb On Nov 28, 2007 4:43 PM, dev code <devcode29 () hotmail com> wrote:
lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure ________________________________ Date: Wed, 28 Nov 2007 09:11:30 -0600 From: reepex () gmail com To: rajesh.sethumadhavan () yahoo com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability so... what fuzzer that you didnt code did you use to find these amazing vulns? Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com> wrote: Microsoft FTP Client Multiple Bufferoverflow Vulnerability ##################################################################### XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) ##################################################################### Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the "mget", "ls", "dir", "username" and "password" commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like "mget", "dir", "user", password and "ls" Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command "mget", "ls" or "dir" on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ________________________________ Connect and share in new ways with Windows Live. Connect now! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 10 Date: Wed, 28 Nov 2007 15:42:26 -0700 From: security () mandriva com Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package fixes buffer overflow and directory traversal vulnerabilities To: full-disclosure () lists grok org uk Message-ID: <E1IxVbu-0003g6-5Q () artemis annvix ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:233 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cpio Date : November 28, 2007 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 88af30721a848b5fd4b3e26c5c055846 2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: fc1e32f7b528997237b392b1c1da9c3c 2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 0814f474aa054b2b7fc92af6e1f5ba01 2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 851d9793b6f791817bc76b558f8fdd5b 2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm Mandriva Linux 2008.0: a6747328c665be64979fee53f3878fdb 2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 953e95a47bb9a978aa1b98e1c7f56e65 2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm Corporate 3.0: 4dfe1f2b387d396eca07927d65a77ce4 corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm Corporate 3.0/X86_64: dc91afd2f8c7b93a95b898cc9a98182a corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm Corporate 4.0: 79936c67409d3889d7988fecfde649b5 corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: a32dd1c2fcb89b32dacd9c7f5d56acd7 corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm Multi Network Firewall 2.0: 3abab72dae445f67c65d58f975f8816c mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 2a1e733d240e05b2771c135ebcbca4d4 mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHTcLbmqjQ0CJFipgRAge8AJ97m1vvl9hCXMm1D3Hf2ClJYpJVsgCgld5b HziHEhmvMccwc97yrLEj3ps= =QhpI -----END PGP SIGNATURE----- ------------------------------ Message: 11 Date: Wed, 28 Nov 2007 16:19:53 -0700 From: security () mandriva com Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package fixes buffer overflow and directory traversal vulnerabilities To: full-disclosure () lists grok org uk Message-ID: <E1IxWC9-000406-PP () artemis annvix ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:233 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cpio Date : November 28, 2007 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Buffer overflow in the safer_name_suffix function in GNU cpio has unspecified attack vectors and impact, resulting in a crashing stack. This problem is originally found in tar, but affects cpio too, due to similar code fragments. (CVE-2007-4476) Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file. This is an old issue, affecting only Mandriva Corporate Server 4 and Mandriva Linux 2007. (CVE-2005-1229) Updated package fixes these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 88af30721a848b5fd4b3e26c5c055846 2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: fc1e32f7b528997237b392b1c1da9c3c 2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 250697255ccc671ca2a01c2ba762aac6 2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 0814f474aa054b2b7fc92af6e1f5ba01 2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 851d9793b6f791817bc76b558f8fdd5b 2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 7292ed206fa271c377cbe72577b42a0d 2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm Mandriva Linux 2008.0: a6747328c665be64979fee53f3878fdb 2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 953e95a47bb9a978aa1b98e1c7f56e65 2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm de436966331be58abba226049bff8edf 2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm Corporate 3.0: 4dfe1f2b387d396eca07927d65a77ce4 corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm Corporate 3.0/X86_64: dc91afd2f8c7b93a95b898cc9a98182a corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 10e1e7fcb59c195b6f679b80e75fade0 corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm Corporate 4.0: 79936c67409d3889d7988fecfde649b5 corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: a32dd1c2fcb89b32dacd9c7f5d56acd7 corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 593f22ed1a261614a1f0d45932b6c441 corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm Multi Network Firewall 2.0: 3abab72dae445f67c65d58f975f8816c mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 2a1e733d240e05b2771c135ebcbca4d4 mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHTfdRmqjQ0CJFipgRAiBcAJ9lW2Xb2u2NBqtF/Gfl90DlD3yXLgCg1atN gTm4NWlU7BE5H/nvQQzHhgU= =Fg/j -----END PGP SIGNATURE----- ------------------------------ Message: 12 Date: Wed, 28 Nov 2007 18:34:47 -0500 From: "Peter Dawson" <slash.pd () gmail com> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: "Stan Bubrouski" <stan.bubrouski () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <8f1f7b60711281534p554ccdb1mea0fd20826625658 () mail gmail com> Content-Type: text/plain; charset="utf-8" Yeah .. a) "Social engineer victim to open it." b) "Persuade victim to run the command " is kind funky.. On Nov 28, 2007 5:21 PM, Stan Bubrouski <stan.bubrouski () gmail com> wrote:
Not to mention the obvious fact that if you have to trick someone into running a batch file then you could probably just tell the genius to execute a special EXE you crafted for them. -sb On Nov 28, 2007 4:43 PM, dev code <devcode29 () hotmail com> wrote:lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure ________________________________ Date: Wed, 28 Nov 2007 09:11:30 -0600 From: reepex () gmail com To: rajesh.sethumadhavan () yahoo com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Microsoft FTP Client MultipleBufferoverflowVulnerability so... what fuzzer that you didnt code did you use to find these amazing vulns? Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'.Youshould not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com>wrote:Microsoft FTP Client Multiple Bufferoverflow Vulnerability ##################################################################### XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) ##################################################################### Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the "mget", "ls", "dir", "username" and "password" commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like "mget", "dir", "user", password and "ls" Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command "mget", "ls" or "dir" on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.____________________________________________________________________________________Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ________________________________ Connect and share in new ways with Windows Live. Connect now! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/20532e89/attachment-0001.html ------------------------------ Message: 13 Date: Wed, 28 Nov 2007 17:56:41 -0600 From: reepex <reepex () gmail com> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: "Peter Dawson" <slash.pd () gmail com>, full-disclosure () lists grok org uk Message-ID: <e9d9d4020711281556g6baf8a8xe228611349b6afb5 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" woah woah watch your words many people on fd make their career based on 1) and 2) so dont diss them unless you want to start an e-war On 11/28/07, Peter Dawson <slash.pd () gmail com> wrote:
Yeah .. a) "Social engineer victim to open it." b) "Persuade victim to run the command " is kind funky.. On Nov 28, 2007 5:21 PM, Stan Bubrouski < stan.bubrouski () gmail com> wrote:Not to mention the obvious fact that if you have to trick someone into running a batch file then you could probably just tell the genius to execute a special EXE you crafted for them. -sb On Nov 28, 2007 4:43 PM, dev code < devcode29 () hotmail com> wrote:lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure ________________________________ Date: Wed, 28 Nov 2007 09:11:30 -0600 From: reepex () gmail com To: rajesh.sethumadhavan () yahoo com ; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Microsoft FTP Client MultipleBufferoverflowVulnerability so... what fuzzer that you didnt code did you use to find theseamazingvulns? Also nice 'payload' in your exploits meaning 'nice long lists of"a"s'. Youshould not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashesanotherapplication and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan < rajesh.sethumadhavan () yahoo com>wrote:Microsoft FTP Client Multiple Bufferoverflow Vulnerability ##################################################################### XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) ##################################################################### Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the "mget", "ls", "dir", "username" and "password" commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like "mget", "dir", "user", password and "ls" Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command "mget", "ls" or "dir" on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.____________________________________________________________________________________Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ________________________________ Connect and share in new ways with Windows Live. Connect now! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/f63ff9a4/attachment.html ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 33, Issue 52 *********************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 33, Issue 52 admin (Nov 28)