Full Disclosure mailing list archives
Re: Microsoft Internet Information Server ftpd zeroday
From: Vladimir '3APA3A' Dubrovin <3APA3A () SECURITY NNOV RU>
Date: Wed, 2 Sep 2009 13:00:16 +0400
Dear Guido Landi, For DoS - yes, you can use existing file, but it's (almost) impossible to create reliable code excution exploit since you can not (fully) control return address, like required in JMP ESP technique used in this exploit. --Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 3APA3A () SECURITY NNOV RU: GL> no, MKDIR is *not* required, also write access is *not* required. GL> Assuming a directory with a name that starts with "A" exists and that is GL> at least 14 chars long, this pattern will trigger the overflow: GL> NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n GL> At least on win2k3. Therefore, the workarounds for kb975191 on GL> microsoft.com are wrong. GL> Guido Landi GL> Vladimir '3APA3A' Dubrovin wrote:
Dear Thierry Zoller, I think yes, MKDIR is required. It should be variation of S99-003/MS02-018. fuzzer should be very smart to create directory and user both oversized buffer and ../ in NLST - it makes path longer than MAX_PATH with existing directory. --Monday, August 31, 2009, 8:21:12 PM, you wrote to full-disclosure () lists grok org uk: TZ> Confirmed. TZ> Ask yourselves why your fuzzers haven't found that one - Combination of TZ> MKDIR are required before reaching vuln code ?
GL> _______________________________________________ GL> Full-Disclosure - We believe in it. GL> Charter: http://lists.grok.org.uk/full-disclosure-charter.html GL> Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Есть там версии Отелло, где Дездемона душит Мавра. (Лем) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Internet Information Server ftpd zeroday Guido Landi (Sep 02)
- Re: Microsoft Internet Information Server ftpd zeroday Vladimir '3APA3A' Dubrovin (Sep 02)
- Re: Microsoft Internet Information Server ftpd zeroday Guido Landi (Sep 02)
- Re: Microsoft Internet Information Server ftpd zeroday Vladimir '3APA3A' Dubrovin (Sep 02)