Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.

[Egemen Tas <egement () KARYDE COM TR>]

Well...
I think this bug in ftp.exe have no uses in practice.I think no one will use
so as a penetration testing tecnique.
But theoretically there exists a formatting  string vulnerability in ftp
client that can be use to force the system do some things with the security
context of logged on user.(Not a serious bug)
If I were in the MS Security Team , I would class this bug as a code quality
bug and give low privilege to release a patch for..

Regards
Egemen Tas

----- Original Message -----
From: "Marc Maiffret" <marc () EEYE COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, February 18, 2001 9:16 AM
Subject: Re: WIN2K security bug with FTP. Bug allows any file to be deleted
from the remote system.


> <snip>
> | > Client side vulnerabilities are great _IF_ you can force a
> | > client to perform
> | > the overflow or what not.
> | > A client side "vulnerability" where the client has to type in random
> | > commands to ftp.exe or have things placed in their profile
> | > (which they are
> | > then screwed anyways) is not something overly worthwhile.
> |
> | What about situations where one is capable of gaining access to a
machine
> | via unicode or any other known/unknown vuln that does not give one
system
> | access, and then utilising this in conjunction with the above to
> | cause more
> | havoc?
> So you break into an IIS server via FrontPage, Unicode, whatever it is...
> and then you overflow ftp.exe (which was spawned by your user under your
> privilege (IUSR_ for example) and then you overflow it... you will then be
> executing code with the same privilege so what's the point?
>
> Now, if you were to take a local exploit, like an overflow in .asp files,
> and use Unicode to write that .asp file to the hard drive and then request
> the .asp file remotely, http://example.com/bob.asp to cause an overflow
> (which since .asp is going to be processed in inetinfo.exe you'll be
SYSTEM)
> then yes that local exploit, which typically would mean nothing, is then a
> valid threat. Read http://www.eeye.com/html/Advisories/IISHack1.5.html for
a
> "proof in concept" that myself and Ryan Permeh put together. Using Unicode
> and an overflow in ASP.
>
> | Take care,
> |   Andrew
> | -
> | Andrew Thomas
> | office: +27 21 4889820
> | facsimile: +27 21 4889830
> | mobile: +27 82 7850166
> |  "One trend that bothers me is the glorification of
> | stupidity, that the media is reassuring people it's
> | alright not to know anything. That to me is far more
> | dangerous than a little pornography on the Internet."
> |   - Carl Sagan
>
> Signed,
> Marc Maiffret
> Chief Hacking Officer
> eCompany / eEye
> T.949.349.9062
> F.949.349.9538
> http://eEye.com