Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.

[Marc Maiffret <marc () EEYE COM>]

<snip>
| > Client side vulnerabilities are great _IF_ you can force a
| > client to perform
| > the overflow or what not.
| > A client side "vulnerability" where the client has to type in random
| > commands to ftp.exe or have things placed in their profile
| > (which they are
| > then screwed anyways) is not something overly worthwhile.
|
| What about situations where one is capable of gaining access to a machine
| via unicode or any other known/unknown vuln that does not give one system
| access, and then utilising this in conjunction with the above to
| cause more
| havoc?
So you break into an IIS server via FrontPage, Unicode, whatever it is...
and then you overflow ftp.exe (which was spawned by your user under your
privilege (IUSR_ for example) and then you overflow it... you will then be
executing code with the same privilege so what's the point?

Now, if you were to take a local exploit, like an overflow in .asp files,
and use Unicode to write that .asp file to the hard drive and then request
the .asp file remotely, http://example.com/bob.asp to cause an overflow
(which since .asp is going to be processed in inetinfo.exe you'll be SYSTEM)
then yes that local exploit, which typically would mean nothing, is then a
valid threat. Read http://www.eeye.com/html/Advisories/IISHack1.5.html for a
"proof in concept" that myself and Ryan Permeh put together. Using Unicode
and an overflow in ASP.

| Take care,
|   Andrew
| -
| Andrew Thomas
| office: +27 21 4889820
| facsimile: +27 21 4889830
| mobile: +27 82 7850166
|  "One trend that bothers me is the glorification of
| stupidity, that the media is reassuring people it's
| alright not to know anything. That to me is far more
| dangerous than a little pornography on the Internet."
|   - Carl Sagan

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com