Re: Microsoft Internet Information Server ftpd zeroday

[Vladimir '3APA3A' Dubrovin <3APA3A () SECURITY NNOV RU>]

Dear Guido Landi,

For  DoS  - yes, you can use existing file, but it's (almost) impossible
to  create  reliable  code  excution  exploit  since you can not (fully)
control  return address, like required in JMP ESP technique used in this
exploit.

--Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 3APA3A () SECURITY NNOV RU:

GL> no, MKDIR is *not* required, also write access is *not* required.

GL> Assuming a directory with a name that starts with "A" exists and that is
GL> at least 14 chars long, this pattern will trigger the overflow:


GL> NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n


GL> At least on win2k3. Therefore, the workarounds for kb975191 on
GL> microsoft.com are wrong.



GL> Guido Landi

GL> Vladimir '3APA3A' Dubrovin wrote:
> > Dear Thierry Zoller,
> >
> > I   think   yes,   MKDIR   is   required.  It  should  be  variation  of
> > S99-003/MS02-018.  fuzzer  should  be very smart to create directory and
> > user  both  oversized buffer and ../ in NLST - it makes path longer than
> > MAX_PATH with existing directory.
> >
> > --Monday, August 31, 2009, 8:21:12 PM, you wrote to
> > full-disclosure () lists grok org uk:
> >
> >
> > TZ> Confirmed.
> >
> > TZ> Ask  yourselves why your fuzzers haven't found that one - Combination of
> > TZ> MKDIR are required before reaching vuln code ?

GL> _______________________________________________
GL> Full-Disclosure - We believe in it.
GL> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
GL> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Есть там версии Отелло, где Дездемона душит Мавра. (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/