Vulnerability Development mailing list archives
Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.
From: Egemen Tas <egement () KARYDE COM TR>
Date: Mon, 19 Feb 2001 19:34:38 -0800
Well... I think this bug in ftp.exe have no uses in practice.I think no one will use so as a penetration testing tecnique. But theoretically there exists a formatting string vulnerability in ftp client that can be use to force the system do some things with the security context of logged on user.(Not a serious bug) If I were in the MS Security Team , I would class this bug as a code quality bug and give low privilege to release a patch for.. Regards Egemen Tas ----- Original Message ----- From: "Marc Maiffret" <marc () EEYE COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, February 18, 2001 9:16 AM Subject: Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.
<snip> | > Client side vulnerabilities are great _IF_ you can force a | > client to perform | > the overflow or what not. | > A client side "vulnerability" where the client has to type in random | > commands to ftp.exe or have things placed in their profile | > (which they are | > then screwed anyways) is not something overly worthwhile. | | What about situations where one is capable of gaining access to a
machine
| via unicode or any other known/unknown vuln that does not give one
system
| access, and then utilising this in conjunction with the above to | cause more | havoc? So you break into an IIS server via FrontPage, Unicode, whatever it is... and then you overflow ftp.exe (which was spawned by your user under your privilege (IUSR_ for example) and then you overflow it... you will then be executing code with the same privilege so what's the point? Now, if you were to take a local exploit, like an overflow in .asp files, and use Unicode to write that .asp file to the hard drive and then request the .asp file remotely, http://example.com/bob.asp to cause an overflow (which since .asp is going to be processed in inetinfo.exe you'll be
SYSTEM)
then yes that local exploit, which typically would mean nothing, is then a valid threat. Read http://www.eeye.com/html/Advisories/IISHack1.5.html for
a
"proof in concept" that myself and Ryan Permeh put together. Using Unicode and an overflow in ASP. | Take care, | Andrew | - | Andrew Thomas | office: +27 21 4889820 | facsimile: +27 21 4889830 | mobile: +27 82 7850166 | "One trend that bothers me is the glorification of | stupidity, that the media is reassuring people it's | alright not to know anything. That to me is far more | dangerous than a little pornography on the Internet." | - Carl Sagan Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com
Current thread:
- Re: WIN2K security bug with FTP. Bug allows any file to be delete d from the remote system. Andrew Thomas (Feb 18)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Marc Maiffret (Feb 18)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Egemen Tas (Feb 19)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Marc Maiffret (Feb 18)