Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Full-Disclosure Digest, Vol 33, Issue 52
From: admin () pacheco-family net
Date: Thu, 29 Nov 2007 00:25:38 +0000

/****
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: full-disclosure-request () lists grok org uk

Date: Wed, 28 Nov 2007 23:56:50 
To:full-disclosure () lists grok org uk
Subject: Full-Disclosure Digest, Vol 33, Issue 52


Send Full-Disclosure mailing list submissions to
        full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists grok org uk

You can reach the person managing the list at
        full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.


Today's Topics:

   1. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Tonnerre Lombard)
   2. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (KJK::Hyperion)
   3. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Tonnerre Lombard)
   4. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (reepex)
   5. Secunia Research: Symantec Backup Exec Job Engine Denial of
      Service (Secunia Research)
   6. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Valdis.Kletnieks () vt edu)
   7. [ MDKSA-2007:232 ] - Updated kernel packages fix multiple
      vulnerabilities and bugs (security () mandriva com)
   8. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (dev code)
   9. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Stan Bubrouski)
  10. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer
      overflow and directory traversal vulnerabilities
      (security () mandriva com)
  11. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer
      overflow and directory traversal vulnerabilities
      (security () mandriva com)
  12. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Peter Dawson)
  13. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (reepex)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Nov 2007 12:44:11 +0100
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow Vulnerability
To: full-disclosure () lists grok org uk
Message-ID: <20071128124411.7c0e55a4 () wssyg114 sygroup-int ch>
Content-Type: text/plain; charset="iso-8859-1"

Salut,

On Wed, 28 Nov 2007 12:05:24 +0100 "KJK::Hyperion" <hackbunny () s0ftpj org> wrote:
Rajesh Sethumadhavan ha scritto:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

Isn't the FTP client compiled with stack overflow protection?

If so, how is that supposed to help?

                                Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33            G?terstrasse 86
Fax:+41 61 383 14 67            4053 Basel
Web:www.sygroup.ch              tonnerre.lombard () sygroup ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 824 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/495fddbb/attachment-0001.bin 

------------------------------

Message: 2
Date: Wed, 28 Nov 2007 13:16:34 +0100
From: "KJK::Hyperion" <hackbunny () s0ftpj org>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow Vulnerability
To: full-disclosure () lists grok org uk
Message-ID: <474D5C22.2080608 () s0ftpj org>
Content-Type: text/plain; charset=ISO-8859-1

Tonnerre Lombard ha scritto:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability
Isn't the FTP client compiled with stack overflow protection?
If so, how is that supposed to help?

By terminating the program before the payload is executed



------------------------------

Message: 3
Date: Wed, 28 Nov 2007 15:49:34 +0100
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow Vulnerability
To: full-disclosure () lists grok org uk
Message-ID: <20071128154934.29ad2810 () wssyg114 sygroup-int ch>
Content-Type: text/plain; charset="iso-8859-1"

Salut,

On Wed, 28 Nov 2007 13:16:34 +0100 "KJK::Hyperion" <hackbunny () s0ftpj org> wrote:
Tonnerre Lombard ha scritto:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability
Isn't the FTP client compiled with stack overflow protection?
If so, how is that supposed to help?

By terminating the program before the payload is executed

May I suggest that this protection is not perfect? I was hoping that
people on this mailing list consider this to be an established fact.

                                Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33            G?terstrasse 86
Fax:+41 61 383 14 67            4053 Basel
Web:www.sygroup.ch              tonnerre.lombard () sygroup ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 824 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/70c9c965/attachment-0001.bin 

------------------------------

Message: 4
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex <reepex () gmail com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "Rajesh Sethumadhavan" <rajesh.sethumadhavan () yahoo com>,
        full-disclosure () lists grok org uk
Message-ID:
        <e9d9d4020711280711v61ee588djd829a935e0e61152 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

so... what fuzzer that you didnt code did you use to find these amazing
vulns?

Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'. You
should not claim code execution when your code does not perform it.

Well I guess it has been good talking until your fuzzer crashes another
application and you copy and paste the results


On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com> wrote:

Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################

XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported       : November 28th 2007
Credit                  : Rajesh Sethumadhavan

Class                   : Buffer Overflow
                         Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform       : Windows 2000 server
                         Windows 2000 Professional
                         Windows XP
                         (Other Versions may be also effected)

#####################################################################


Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir"  on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Note: Modify POC to connect to lab FTP Server
     (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.




____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page.
http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/cb276e93/attachment-0001.html 

------------------------------

Message: 5
Date: Wed, 28 Nov 2007 10:43:42 +0100
From: Secunia Research <remove-vuln () secunia com>
Subject: [Full-disclosure] Secunia Research: Symantec Backup Exec Job
        Engine  Denial of Service
To: full-disclosure () lists grok org uk
Message-ID: <1196243023.25960.307.camel () ts2 intnet>
Content-Type: text/plain

====================================================================== 

                     Secunia Research 28/11/2007

       - Symantec Backup Exec Job Engine Denial of Service -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* Symantec Backup Exec for Windows Servers version 11d (11.0 rev 7170)

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Less Critical
Impact: Denial of Service
Where:  Local network

====================================================================== 
3) Vendor's Description of Software 

Symantec Backup Exec 11d for Windows Servers is the gold standard in 
Windows data recovery, providing cost-effective, high-performance, and 
certified disk-to-disk-to-tape backup and recovery?with available 
continuous data protection for Microsoft Exchange, SQL, file servers, 
and workstations. High-performance agents and options provide fast, 
flexible, granular protection and recovery, and scalable management of
 local and remote server backups."
 
Product Link:
http://www.symantec.com/business/products/overview.jsp?pcid=2244&pvid=57_1

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in Symantec 
Backup Exec for Windows Servers, which can be exploited by malicious 
people to cause a DoS (Denial of Service).

1) A NULL-pointer dereference error in the Backup Exec Job Engine 
service (bengine.exe) when handling exceptions can be exploited to 
crash the service by sending a specially crafted packet to default 
port 5633/TCP.

2) Two integer overflow errors within the Backup Exec Job Engine 
service can be exploited to e.g. cause the service to enter an 
infinite loop and exhaust all available memory or consume large 
amounts of CPU resource by sending a specially crafted packet to 
default port 5633/TCP.

====================================================================== 
5) Solution 

Apply hotfixes.

Build 11.0.6235:
http://support.veritas.com/docs/294241

Build 11.0.7170:
http://support.veritas.com/docs/294237

====================================================================== 
6) Time Table 

02/10/2007 - Vendor notified. 
02/10/2007 - Vendor replied.
28/11/2007 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by JJ Reyes, Secunia Research.

====================================================================== 
8) References

SYM07-029:
http://securityresponse.symantec.com/avcenter/security/Content/2007.11.27.html

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2007-4346 (NULL pointer dereference error) and CVE-2007-4347
(integer overflows) for the vulnerabilities.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below 
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/ 

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-74/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================



------------------------------

Message: 6
Date: Wed, 28 Nov 2007 12:27:14 -0500
From: Valdis.Kletnieks () vt edu
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "KJK::Hyperion" <hackbunny () s0ftpj org>
Cc: full-disclosure () lists grok org uk
Message-ID: <20490.1196270834 () turing-police cc vt edu>
Content-Type: text/plain; charset="us-ascii"

On Wed, 28 Nov 2007 12:05:24 +0100, "KJK::Hyperion" said:
Rajesh Sethumadhavan ha scritto:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

Isn't the FTP client compiled with stack overflow protection?

Not all buffers live on the stack.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/c18cf28e/attachment-0001.bin 

------------------------------

Message: 7
Date: Wed, 28 Nov 2007 13:46:27 -0700
From: security () mandriva com
Subject: [Full-disclosure] [ MDKSA-2007:232 ] - Updated kernel
        packages fix multiple vulnerabilities and bugs
To: full-disclosure () lists grok org uk
Message-ID: <E1IxTnf-0003M2-Q8 () artemis annvix ca>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:232
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : kernel
 Date    : November 28, 2007
 Affected: 2008.0
 _______________________________________________________________________
 
 Problem Description:
 
 Some vulnerabilities were discovered and corrected in the Linux
 2.6 kernel:
 
 The minix filesystem code allows local users to cause a denial of
 service (hang) via a malformed minix file stream (CVE-2006-6058).
 
 An integer underflow in the Linux kernel prior to 2.6.23 allows remote
 attackers to cause a denial of service (crash) via a crafted SKB length
 value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
 flag is set (CVE-2007-4997).
 
 To update your kernel, please follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2008.0:
 5c1343b5d8ffdced8a3976f204f51525  2008.0/i586/kernel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 35d9b9d32b2dea3ced31c287dc48e7b5  2008.0/i586/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 a0f6e8a00bcb369f60b42eda0a31e9a4  2008.0/i586/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 a2be11654f2b06d0579b6a3f5272c31a  2008.0/i586/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 4ac1c0d45cd643dbea927050e0a4010a  2008.0/i586/kernel-desktop-latest-2.6.22.12-1mdv2008.0.i586.rpm
 beac61f42065285b3b2f34212d52d8d0  2008.0/i586/kernel-desktop586-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 eb5bc9029a09d92870d1b2e33410eadd  2008.0/i586/kernel-desktop586-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 cb9ff0a7902a734e7f1378c46d2e024e  2008.0/i586/kernel-desktop586-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 5640e6c9846abf1cffdbba58517bc4f3  2008.0/i586/kernel-desktop586-latest-2.6.22.12-1mdv2008.0.i586.rpm
 f47fc0edd34149905ec9c979b365ea1e  2008.0/i586/kernel-doc-2.6.22.12-1mdv2008.0.i586.rpm
 4281e10a6a2ea8d0eec91e5d4c7f4a97  2008.0/i586/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 bf0cdddc00747ca1eac97596d110b2b0  2008.0/i586/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 d8901cba80555234b45b7291966232f7  2008.0/i586/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 fc3f4e82c13a8fe0a3d7c138a4242523  2008.0/i586/kernel-laptop-latest-2.6.22.12-1mdv2008.0.i586.rpm
 4471d2e11e5814d6b00a92203eb624fd  2008.0/i586/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 3fd2a0f03031e55e1fd688f18a111909  2008.0/i586/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 60bebc8c572331ea54da8e2f2003d184  2008.0/i586/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 3603a84dec2dd525aee503face0f5466  2008.0/i586/kernel-server-latest-2.6.22.12-1mdv2008.0.i586.rpm
 0fdee78f39eb58e8ed656dc746247805  2008.0/i586/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 68e878051bf3584e2544382ffe685d4f  2008.0/i586/kernel-source-latest-2.6.22.12-1mdv2008.0.i586.rpm 
 666ec61a6b9f117b3a991bc0163b66a2  2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 8a4670ea37e195b450780c65c1e848e1  2008.0/x86_64/kernel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 d423ea385be4e43c2e3662faf02ec952  2008.0/x86_64/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 24d0752af597feb7d7df1ef0412010a4  2008.0/x86_64/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 61932b1d0078387f5212919776940e62  2008.0/x86_64/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 fff4298a795775460b87f2fe0b757d10  2008.0/x86_64/kernel-desktop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 a32ef6a87dc4a8dd28b6a83b810de9ff  2008.0/x86_64/kernel-doc-2.6.22.12-1mdv2008.0.x86_64.rpm
 80b7e690f462eaf2993595afd70c9de0  2008.0/x86_64/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 7f6df46dd7a05574c001527a3341b28d  2008.0/x86_64/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 efa087282b33923c354846909ec1585c  2008.0/x86_64/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 a24374352a24ce5c9e9fbfaf9c7f130d  2008.0/x86_64/kernel-laptop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 7a078712aea92dc7ce3f36288e6126e8  2008.0/x86_64/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 53876a6ab82a4eabecb97be39a256d9b  2008.0/x86_64/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 bc7dc1b24b0acf0f0a4c819a765bd6f6  2008.0/x86_64/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 915a90d1b7dfd1f1b443d77191d90dad  2008.0/x86_64/kernel-server-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 7b9728978473981add1ab6f95272a3ac  2008.0/x86_64/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 e5e79acce294760ba2250590efffbcb1  2008.0/x86_64/kernel-source-latest-2.6.22.12-1mdv2008.0.x86_64.rpm 
 666ec61a6b9f117b3a991bc0163b66a2  2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTalKmqjQ0CJFipgRAmuMAKC5vYuP+GWkDtVgvHdlonswXNInPACgt14z
xMNG7xobmmz9u/fFFl77ZFw=
=+r4e
-----END PGP SIGNATURE-----



------------------------------

Message: 8
Date: Wed, 28 Nov 2007 21:43:56 +0000
From: dev code <devcode29 () hotmail com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: reepex <reepex () gmail com>, Rajesh Sethumadhavan
        <rajesh.sethumadhavan () yahoo com>, <full-disclosure () lists grok org uk>
Message-ID: <BAY120-W6DF5E0453F3F1C567924FBE770 () phx gbl>
Content-Type: text/plain; charset="iso-8859-1"


lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on 
full disclosure
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex () gmail com
To: rajesh.sethumadhavan () yahoo com; full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow     Vulnerability

so... what fuzzer that you didnt code did you use to find these amazing vulns?
 
Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your 
code does not perform it.
 
Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results

 
On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com> wrote:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################


XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported       : November 28th 2007
Credit                  : Rajesh Sethumadhavan

Class                   : Buffer Overflow

                         Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform       : Windows 2000 server

                         Windows 2000 Professional
                         Windows XP
                         (Other Versions may be also effected)

#####################################################################



Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the

"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of

logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the

Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.


Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir"  on specially crafted folder using microsoft ftp

client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt

http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Note: Modify POC to connect to lab FTP Server
     (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP

Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt

http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt



Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of

arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html


Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification

use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of

using the information or demonstrations provided in
any part of this advisory.



     ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page.

http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: 
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/587fa595/attachment-0001.html 

------------------------------

Message: 9
Date: Wed, 28 Nov 2007 17:21:54 -0500
From: "Stan Bubrouski" <stan.bubrouski () gmail com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "dev code" <devcode29 () hotmail com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <122827b90711281421u64663492jadd2b4d101d9fd45 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Not to mention the obvious fact that if you have to trick someone into
running a batch file then you could probably just tell the genius to
execute a special EXE you crafted for them.

-sb

On Nov 28, 2007 4:43 PM, dev code <devcode29 () hotmail com> wrote:

 lolerowned, kinda like the 20 other non exploitable stack overflow
exceptions that someone else has been reporting on full disclosure
________________________________
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex () gmail com
To: rajesh.sethumadhavan () yahoo com; full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow
Vulnerability



so... what fuzzer that you didnt code did you use to find these amazing
vulns?

Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'. You
should not claim code execution when your code does not perform it.

Well I guess it has been good talking until your fuzzer crashes another
application and you copy and paste the results


On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com> wrote:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################

XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported       : November 28th 2007
Credit                  : Rajesh Sethumadhavan

Class                   : Buffer Overflow
                         Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform       : Windows 2000 server
                         Windows 2000 Professional
                         Windows XP
                         (Other Versions may be also effected)

#####################################################################


Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir"  on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
 http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Note: Modify POC to connect to lab FTP Server
     (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
 http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.




____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page.
http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


________________________________
Connect and share in new ways with Windows Live. Connect now!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




------------------------------

Message: 10
Date: Wed, 28 Nov 2007 15:42:26 -0700
From: security () mandriva com
Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package
        fixes buffer overflow and directory traversal vulnerabilities
To: full-disclosure () lists grok org uk
Message-ID: <E1IxVbu-0003g6-5Q () artemis annvix ca>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:233
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : cpio
 Date    : November 28, 2007
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 88af30721a848b5fd4b3e26c5c055846  2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 fc1e32f7b528997237b392b1c1da9c3c  2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 0814f474aa054b2b7fc92af6e1f5ba01  2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 851d9793b6f791817bc76b558f8fdd5b  2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 a6747328c665be64979fee53f3878fdb  2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 953e95a47bb9a978aa1b98e1c7f56e65  2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Corporate 3.0:
 4dfe1f2b387d396eca07927d65a77ce4  corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 dc91afd2f8c7b93a95b898cc9a98182a  corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 4.0:
 79936c67409d3889d7988fecfde649b5  corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 a32dd1c2fcb89b32dacd9c7f5d56acd7  corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 3abab72dae445f67c65d58f975f8816c  mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 
 2a1e733d240e05b2771c135ebcbca4d4  mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTcLbmqjQ0CJFipgRAge8AJ97m1vvl9hCXMm1D3Hf2ClJYpJVsgCgld5b
HziHEhmvMccwc97yrLEj3ps=
=QhpI
-----END PGP SIGNATURE-----



------------------------------

Message: 11
Date: Wed, 28 Nov 2007 16:19:53 -0700
From: security () mandriva com
Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package
        fixes buffer overflow and directory traversal vulnerabilities
To: full-disclosure () lists grok org uk
Message-ID: <E1IxWC9-000406-PP () artemis annvix ca>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:233
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : cpio
 Date    : November 28, 2007
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Buffer overflow in the safer_name_suffix function in GNU cpio
 has unspecified attack vectors and impact, resulting in a crashing
 stack. This problem is originally found in tar, but affects cpio too,
 due to similar code fragments. (CVE-2007-4476)
 
 Directory traversal vulnerability in cpio 2.6 and earlier allows remote
 attackers to write to arbitrary directories via a .. (dot dot) in a
 cpio file. This is an old issue, affecting only Mandriva Corporate
 Server 4 and Mandriva Linux 2007. (CVE-2005-1229)
 
 Updated package fixes these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 88af30721a848b5fd4b3e26c5c055846  2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 fc1e32f7b528997237b392b1c1da9c3c  2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 0814f474aa054b2b7fc92af6e1f5ba01  2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 851d9793b6f791817bc76b558f8fdd5b  2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 a6747328c665be64979fee53f3878fdb  2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 953e95a47bb9a978aa1b98e1c7f56e65  2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Corporate 3.0:
 4dfe1f2b387d396eca07927d65a77ce4  corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 dc91afd2f8c7b93a95b898cc9a98182a  corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 4.0:
 79936c67409d3889d7988fecfde649b5  corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 a32dd1c2fcb89b32dacd9c7f5d56acd7  corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 
 593f22ed1a261614a1f0d45932b6c441  corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 3abab72dae445f67c65d58f975f8816c  mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 
 2a1e733d240e05b2771c135ebcbca4d4  mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTfdRmqjQ0CJFipgRAiBcAJ9lW2Xb2u2NBqtF/Gfl90DlD3yXLgCg1atN
gTm4NWlU7BE5H/nvQQzHhgU=
=Fg/j
-----END PGP SIGNATURE-----



------------------------------

Message: 12
Date: Wed, 28 Nov 2007 18:34:47 -0500
From: "Peter Dawson" <slash.pd () gmail com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "Stan Bubrouski" <stan.bubrouski () gmail com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <8f1f7b60711281534p554ccdb1mea0fd20826625658 () mail gmail com>
Content-Type: text/plain; charset="utf-8"

Yeah ..

a) "Social engineer victim to open it."
b) "Persuade victim to run the command "

is kind funky..

On Nov 28, 2007 5:21 PM, Stan Bubrouski <stan.bubrouski () gmail com> wrote:

Not to mention the obvious fact that if you have to trick someone into
running a batch file then you could probably just tell the genius to
execute a special EXE you crafted for them.

-sb

On Nov 28, 2007 4:43 PM, dev code <devcode29 () hotmail com> wrote:

 lolerowned, kinda like the 20 other non exploitable stack overflow
exceptions that someone else has been reporting on full disclosure
________________________________
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex () gmail com
To: rajesh.sethumadhavan () yahoo com; full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow
Vulnerability



so... what fuzzer that you didnt code did you use to find these amazing
vulns?

Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'.
You
should not claim code execution when your code does not perform it.

Well I guess it has been good talking until your fuzzer crashes another
application and you copy and paste the results


On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com>
wrote:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################

XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported       : November 28th 2007
Credit                  : Rajesh Sethumadhavan

Class                   : Buffer Overflow
                         Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform       : Windows 2000 server
                         Windows 2000 Professional
                         Windows XP
                         (Other Versions may be also effected)

#####################################################################


Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir"  on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
 http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Note: Modify POC to connect to lab FTP Server
     (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
 http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.





____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page.
http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


________________________________
Connect and share in new ways with Windows Live. Connect now!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/20532e89/attachment-0001.html 

------------------------------

Message: 13
Date: Wed, 28 Nov 2007 17:56:41 -0600
From: reepex <reepex () gmail com>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "Peter Dawson" <slash.pd () gmail com>,
        full-disclosure () lists grok org uk
Message-ID:
        <e9d9d4020711281556g6baf8a8xe228611349b6afb5 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

woah woah watch your words

many people on fd make their career based on 1) and 2) so dont diss them
unless you want to start an e-war

On 11/28/07, Peter Dawson <slash.pd () gmail com> wrote:

Yeah ..

a) "Social engineer victim to open it."
b) "Persuade victim to run the command "

is kind funky..

On Nov 28, 2007 5:21 PM, Stan Bubrouski < stan.bubrouski () gmail com> wrote:

Not to mention the obvious fact that if you have to trick someone into
running a batch file then you could probably just tell the genius to
execute a special EXE you crafted for them.

-sb

On Nov 28, 2007 4:43 PM, dev code < devcode29 () hotmail com> wrote:

 lolerowned, kinda like the 20 other non exploitable stack overflow
exceptions that someone else has been reporting on full disclosure
________________________________
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex () gmail com
To: rajesh.sethumadhavan () yahoo com ; full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
Bufferoverflow
Vulnerability



so... what fuzzer that you didnt code did you use to find these
amazing
vulns?

Also nice 'payload'  in your exploits meaning 'nice long lists of
"a"s'. You
should not claim code execution when your code does not perform it.

Well I guess it has been good talking until your fuzzer crashes
another
application and you copy and paste the results


On 11/28/07, Rajesh Sethumadhavan < rajesh.sethumadhavan () yahoo com>
wrote:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################

XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported       : November 28th 2007
Credit                  : Rajesh Sethumadhavan

Class                   : Buffer Overflow
                         Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform       : Windows 2000 server
                         Windows 2000 Professional
                         Windows XP
                         (Other Versions may be also effected)

#####################################################################


Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir"  on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
 http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Note: Modify POC to connect to lab FTP Server
     (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
  http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.





____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page.
http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


________________________________
Connect and share in new ways with Windows Live. Connect now!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/f63ff9a4/attachment.html 

------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 33, Issue 52
***********************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: Full-Disclosure Digest, Vol 33, Issue 52 admin (Nov 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault