Re[2]: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Dear [EMAIL PROTECTED], --Friday, November 30, 2007, 1:19:49 AM, you wrote to [EMAIL PROTECTED]: >> An attacker who can convince an user to extract a specially crafted >> archive can overwrite arbitrary files with the permissions of the user >> running gtar. If that user is root, the attacker can overwrite any >> file on the system. VKve> Apparently, somebody at FreeBSD thinks "can be exploited if you trick the VKve> user into doing something" is a valid attack vector. This is valid factor. The difference is, if you can force user to extract archive, you need vulnerability in gtar in order to exploit. If you can force user to run executable script, you need no vulnerability in FTP client to exploit this. -- ~/ZARAZA http://securityvulns.com/ Неприятности начнутся в восемь. (Твен)
Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
On Thu, 2007-11-29 at 23:19 +0100, [EMAIL PROTECTED] wrote: > On Thu, 29 Nov 2007 14:46:06 +0300, 3APA3A said: > > In order to exploit this vulnerability you need to force victim to run > > attacker-supplied BAT file. It's like forcing user to run > > attacker-supplied .sh script under Unix. > > And oddly enough, the *very next mail* from Bugtraq said: > > > FreeBSD-SA-07:10.gtar Security > > Advisory > > The FreeBSD > > Project > > > Topic: gtar directory traversal vulnerability > ... > > III. Impact > > > An attacker who can convince an user to extract a specially crafted > > archive can overwrite arbitrary files with the permissions of the user > > running gtar. If that user is root, the attacker can overwrite any > > file on the system. > > Apparently, somebody at FreeBSD thinks "can be exploited if you trick the > user into doing something" is a valid attack vector. Considering most tar versions have specific protections to avoid this very problem (namely, tar extracting a file outside of the directory hierarchy where it is executed), then yes, it is a problem. Even if you happen to think the root cause of all computing evil is what is between the chair and the keyboard, trojans are a valid attack vector. -- Vincent ARCHER Email: [EMAIL PROTECTED] All men are mortal. Socrates was mortal. Therefore, all men are Socrates. (Woody Allen)
Re[2]: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Given the past issues with .zip and .rar unpackers, unpacking an archive should be considered a risky activity. In some sense, opening, accessing, playing, or otherwise touching any file from an unknown source could be considered risky. The list of issues with media files, archive files, (or more accurately put, the applications that handle them) and the like is too long to recite, but informative. -- ---Matthew *** REPLY SEPARATOR *** On 11/29/2007 at 6:09 PM Steve Shockley wrote: >[EMAIL PROTECTED] wrote: >>> An attacker who can convince an user to extract a specially crafted >>> archive can overwrite arbitrary files with the permissions of the user >>> running gtar. If that user is root, the attacker can overwrite any >>> file on the system. >> >> Apparently, somebody at FreeBSD thinks "can be exploited if you trick the >> user into doing something" is a valid attack vector. > >The difference is that I'd be surprised when I got 0wned by unpacking an >archive, and not all that surprised when I got 0wned by running a random >executable (script) file.
Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
[EMAIL PROTECTED] wrote: An attacker who can convince an user to extract a specially crafted archive can overwrite arbitrary files with the permissions of the user running gtar. If that user is root, the attacker can overwrite any file on the system. Apparently, somebody at FreeBSD thinks "can be exploited if you trick the user into doing something" is a valid attack vector. The difference is that I'd be surprised when I got 0wned by unpacking an archive, and not all that surprised when I got 0wned by running a random executable (script) file.
Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
On Thu, 29 Nov 2007 14:46:06 +0300, 3APA3A said: > In order to exploit this vulnerability you need to force victim to run > attacker-supplied BAT file. It's like forcing user to run > attacker-supplied .sh script under Unix. And oddly enough, the *very next mail* from Bugtraq said: > FreeBSD-SA-07:10.gtar Security Advisory > The FreeBSD Project > Topic: gtar directory traversal vulnerability ... > III. Impact > An attacker who can convince an user to extract a specially crafted > archive can overwrite arbitrary files with the permissions of the user > running gtar. If that user is root, the attacker can overwrite any > file on the system. Apparently, somebody at FreeBSD thinks "can be exploited if you trick the user into doing something" is a valid attack vector. pgp3CSlVeYChi.pgp Description: PGP signature
Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Dear Rajesh Sethumadhavan, In order to exploit this vulnerability you need to force victim to run attacker-supplied BAT file. It's like forcing user to run attacker-supplied .sh script under Unix. No vulnerability here, except vulnerability in human. The second scenario is better. All you need is to force user to type more than 1000 characters (including shellcode) in filename without mistakes. You should be extremaly good social engineer... --Wednesday, November 28, 2007, 9:12:03 AM, you wrote to bugtraq@securityfocus.com: RS> Exploitation method: RS> Method 1: RS> -Send POC with payload to user. RS> -Social engineer victim to open it. RS> Method 2: RS> -Attacker creates a directory with long folder or RS> filename in his FTP server (should be other than IIS RS> server) RS> -Persuade victim to run the command "mget", "ls" or RS> "dir" on specially crafted folder using microsoft ftp RS> client RS> -FTP client will crash and payload will get executed RS> Proof Of Concept: RS> http://www.xdisclose.com/poc/mget.bat.txt RS> http://www.xdisclose.com/poc/username.bat.txt RS> http://www.xdisclose.com/poc/directory.bat.txt RS> http://www.xdisclose.com/poc/list.bat.txt RS> Note: Modify POC to connect to lab FTP Server RS> (As of now it will connect to RS> ftp://xdisclose.com) RS> Demonstration: RS> Note: Demonstration leads to crashing of Microsoft FTP RS> Client RS> Download POC rename to .bat file and execute anyone of RS> the batch file RS> http://www.xdisclose.com/poc/mget.bat.txt RS> http://www.xdisclose.com/poc/username.bat.txt RS> http://www.xdisclose.com/poc/directory.bat.txt RS> http://www.xdisclose.com/poc/list.bat.txt RS> Solution: RS> No Solution RS> Screenshot: RS> http://www.xdisclose.com/images/msftpbof.jpg RS> Impact: RS> Successful exploitation may allows execution of RS> arbitrary code with privilege of currently logged in RS> user. RS> Impact of the vulnerability is system level. RS> Original Advisory: RS> http://www.xdisclose.com/advisory/XD100096.html RS> Credits: RS> Rajesh Sethumadhavan has been credited with the RS> discovery of this vulnerability RS> Disclaimer: RS> This entire document is strictly for educational, RS> testing and demonstrating purpose only. Modification RS> use and/or publishing this information is entirely on RS> your own risk. The exploit code/Proof Of Concept is to RS> be used on test environment only. I am not liable for RS> any direct or indirect damages caused as a result of RS> using the information or demonstrations provided in RS> any part of this advisory. RS> RS> RS> Be a better pen pal. RS> Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ -- ~/ZARAZA http://securityvulns.com/ Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì. (Ëåì)
Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Microsoft FTP Client Multiple Bufferoverflow Vulnerability # XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) # Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the "mget", "ls", "dir", "username" and "password" commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like "mget", "dir", "user", password and "ls" Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command "mget", "ls" or "dir" on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/