[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Full-Disclosure Digest, Vol 33, Issue 52



/****
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: full-disclosure-request@xxxxxxxxxxxxxxxxx

Date: Wed, 28 Nov 2007 23:56:50 
To:full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Full-Disclosure Digest, Vol 33, Issue 52


Send Full-Disclosure mailing list submissions to
        full-disclosure@xxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request@xxxxxxxxxxxxxxxxx

You can reach the person managing the list at
        full-disclosure-owner@xxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim your 
post appropriately. Thank you.


Today's Topics:

   1. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Tonnerre Lombard)
   2. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (KJK::Hyperion)
   3. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Tonnerre Lombard)
   4. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (reepex)
   5. Secunia Research: Symantec Backup Exec Job Engine Denial of
      Service (Secunia Research)
   6. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Valdis.Kletnieks@xxxxxx)
   7. [ MDKSA-2007:232 ] - Updated kernel packages fix multiple
      vulnerabilities and bugs (security@xxxxxxxxxxxx)
   8. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (dev code)
   9. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Stan Bubrouski)
  10. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer
      overflow and directory traversal vulnerabilities
      (security@xxxxxxxxxxxx)
  11. [ MDKSA-2007:233 ] - Updated cpio package fixes buffer
      overflow and directory traversal vulnerabilities
      (security@xxxxxxxxxxxx)
  12. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (Peter Dawson)
  13. Re: Microsoft FTP Client Multiple Bufferoverflow
      Vulnerability (reepex)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Nov 2007 12:44:11 +0100
From: Tonnerre Lombard <tonnerre.lombard@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow Vulnerability
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <20071128124411.7c0e55a4@xxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Salut,

On Wed, 28 Nov 2007 12:05:24 +0100 "KJK::Hyperion" <hackbunny@xxxxxxxxxx> wrote:
> Rajesh Sethumadhavan ha scritto:
> > Microsoft FTP Client Multiple Bufferoverflow
> > Vulnerability
> 
> Isn't the FTP client compiled with stack overflow protection?

If so, how is that supposed to help?

                                Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33            G?terstrasse 86
Fax:+41 61 383 14 67            4053 Basel
Web:www.sygroup.ch              tonnerre.lombard@xxxxxxxxxx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 824 bytes
Desc: not available
Url : 
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/495fddbb/attachment-0001.bin
 

------------------------------

Message: 2
Date: Wed, 28 Nov 2007 13:16:34 +0100
From: "KJK::Hyperion" <hackbunny@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow Vulnerability
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <474D5C22.2080608@xxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Tonnerre Lombard ha scritto:
>>> Microsoft FTP Client Multiple Bufferoverflow
>>> Vulnerability
>> Isn't the FTP client compiled with stack overflow protection?
> If so, how is that supposed to help?

By terminating the program before the payload is executed



------------------------------

Message: 3
Date: Wed, 28 Nov 2007 15:49:34 +0100
From: Tonnerre Lombard <tonnerre.lombard@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow Vulnerability
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <20071128154934.29ad2810@xxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Salut,

On Wed, 28 Nov 2007 13:16:34 +0100 "KJK::Hyperion" <hackbunny@xxxxxxxxxx> wrote:
> Tonnerre Lombard ha scritto:
> >>> Microsoft FTP Client Multiple Bufferoverflow
> >>> Vulnerability
> >> Isn't the FTP client compiled with stack overflow protection?
> > If so, how is that supposed to help?
> 
> By terminating the program before the payload is executed

May I suggest that this protection is not perfect? I was hoping that
people on this mailing list consider this to be an established fact.

                                Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33            G?terstrasse 86
Fax:+41 61 383 14 67            4053 Basel
Web:www.sygroup.ch              tonnerre.lombard@xxxxxxxxxx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 824 bytes
Desc: not available
Url : 
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/70c9c965/attachment-0001.bin
 

------------------------------

Message: 4
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex <reepex@xxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "Rajesh Sethumadhavan" <rajesh.sethumadhavan@xxxxxxxxx>,
        full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID:
        <e9d9d4020711280711v61ee588djd829a935e0e61152@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

so... what fuzzer that you didnt code did you use to find these amazing
vulns?

Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'. You
should not claim code execution when your code does not perform it.

Well I guess it has been good talking until your fuzzer crashes another
application and you copy and paste the results


On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@xxxxxxxxx> wrote:
>
> Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
> #####################################################################
>
> XDisclose Advisory      : XD100096
> Vulnerability Discovered: November 20th 2007
> Advisory Reported       : November 28th 2007
> Credit                  : Rajesh Sethumadhavan
>
> Class                   : Buffer Overflow
>                          Denial Of Service
> Solution Status         : Unpatched
> Vendor                  : Microsoft Corporation
> Affected applications   : Microsoft FTP Client
> Affected Platform       : Windows 2000 server
>                          Windows 2000 Professional
>                          Windows XP
>                          (Other Versions may be also effected)
>
> #####################################################################
>
>
> Overview:
> Bufferoverflow vulnerability is discovered in
> microsoft ftp client. Attackers can crash the ftp
> client of the victim user by tricking the user.
>
>
> Description:
> A remote attacker can craft packet with payload in the
> "mget", "ls", "dir", "username" and "password"
> commands as demonstrated below. When victim execute
> POC or specially crafted packets, ftp client will
> crash possible arbitrary code execution in contest of
> logged in user. This vulnerability is hard to exploit
> since it requires social engineering and shellcode has
> to be injected as argument in vulnerable commands.
>
> The vulnerability is caused due to an error in the
> Windows FTP client in validating commands like "mget",
> "dir", "user", password and "ls"
>
> Exploitation method:
>
> Method 1:
> -Send POC with payload to user.
> -Social engineer victim to open it.
>
> Method 2:
> -Attacker creates a directory with long folder or
> filename in his FTP server (should be other than IIS
> server)
> -Persuade victim to run the command "mget", "ls" or
> "dir"  on specially crafted folder using microsoft ftp
> client
> -FTP client will crash and payload will get executed
>
>
> Proof Of Concept:
> http://www.xdisclose.com/poc/mget.bat.txt
> http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
> Note: Modify POC to connect to lab FTP Server
>      (As of now it will connect to
> ftp://xdisclose.com)
>
> Demonstration:
> Note: Demonstration leads to crashing of Microsoft FTP
> Client
>
> Download POC rename to .bat file and execute anyone of
> the batch file
> http://www.xdisclose.com/poc/mget.bat.txt
> http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
>
> Solution:
> No Solution
>
> Screenshot:
> http://www.xdisclose.com/images/msftpbof.jpg
>
>
> Impact:
> Successful exploitation may allows execution of
> arbitrary code with privilege of currently logged in
> user.
>
> Impact of the vulnerability is system level.
>
>
> Original Advisory:
> http://www.xdisclose.com/advisory/XD100096.html
>
> Credits:
> Rajesh Sethumadhavan has been credited with the
> discovery of this vulnerability
>
>
> Disclaimer:
> This entire document is strictly for educational,
> testing and demonstrating purpose only. Modification
> use and/or publishing this information is entirely on
> your own risk. The exploit code/Proof Of Concept is to
> be used on test environment only. I am not liable for
> any direct or indirect damages caused as a result of
> using the information or demonstrations provided in
> any part of this advisory.
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/cb276e93/attachment-0001.html
 

------------------------------

Message: 5
Date: Wed, 28 Nov 2007 10:43:42 +0100
From: Secunia Research <remove-vuln@xxxxxxxxxxx>
Subject: [Full-disclosure] Secunia Research: Symantec Backup Exec Job
        Engine  Denial of Service
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <1196243023.25960.307.camel@xxxxxxxxxx>
Content-Type: text/plain

====================================================================== 

                     Secunia Research 28/11/2007

       - Symantec Backup Exec Job Engine Denial of Service -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* Symantec Backup Exec for Windows Servers version 11d (11.0 rev 7170)

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Less Critical
Impact: Denial of Service
Where:  Local network

====================================================================== 
3) Vendor's Description of Software 

Symantec Backup Exec 11d for Windows Servers is the gold standard in 
Windows data recovery, providing cost-effective, high-performance, and 
certified disk-to-disk-to-tape backup and recovery?with available 
continuous data protection for Microsoft Exchange, SQL, file servers, 
and workstations. High-performance agents and options provide fast, 
flexible, granular protection and recovery, and scalable management of
 local and remote server backups."
 
Product Link:
http://www.symantec.com/business/products/overview.jsp?pcid=2244&pvid=57_1

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in Symantec 
Backup Exec for Windows Servers, which can be exploited by malicious 
people to cause a DoS (Denial of Service).

1) A NULL-pointer dereference error in the Backup Exec Job Engine 
service (bengine.exe) when handling exceptions can be exploited to 
crash the service by sending a specially crafted packet to default 
port 5633/TCP.

2) Two integer overflow errors within the Backup Exec Job Engine 
service can be exploited to e.g. cause the service to enter an 
infinite loop and exhaust all available memory or consume large 
amounts of CPU resource by sending a specially crafted packet to 
default port 5633/TCP.

====================================================================== 
5) Solution 

Apply hotfixes.

Build 11.0.6235:
http://support.veritas.com/docs/294241

Build 11.0.7170:
http://support.veritas.com/docs/294237

====================================================================== 
6) Time Table 

02/10/2007 - Vendor notified. 
02/10/2007 - Vendor replied.
28/11/2007 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by JJ Reyes, Secunia Research.

====================================================================== 
8) References

SYM07-029:
http://securityresponse.symantec.com/avcenter/security/Content/2007.11.27.html

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2007-4346 (NULL pointer dereference error) and CVE-2007-4347
(integer overflows) for the vulnerabilities.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below 
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/ 

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-74/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================



------------------------------

Message: 6
Date: Wed, 28 Nov 2007 12:27:14 -0500
From: Valdis.Kletnieks@xxxxxx
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "KJK::Hyperion" <hackbunny@xxxxxxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <20490.1196270834@xxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

On Wed, 28 Nov 2007 12:05:24 +0100, "KJK::Hyperion" said:
> Rajesh Sethumadhavan ha scritto:
> > Microsoft FTP Client Multiple Bufferoverflow
> > Vulnerability
> 
> Isn't the FTP client compiled with stack overflow protection?

Not all buffers live on the stack.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : 
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/c18cf28e/attachment-0001.bin
 

------------------------------

Message: 7
Date: Wed, 28 Nov 2007 13:46:27 -0700
From: security@xxxxxxxxxxxx
Subject: [Full-disclosure] [ MDKSA-2007:232 ] - Updated kernel
        packages fix multiple vulnerabilities and bugs
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <E1IxTnf-0003M2-Q8@xxxxxxxxxxxxxxxxx>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:232
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : kernel
 Date    : November 28, 2007
 Affected: 2008.0
 _______________________________________________________________________
 
 Problem Description:
 
 Some vulnerabilities were discovered and corrected in the Linux
 2.6 kernel:
 
 The minix filesystem code allows local users to cause a denial of
 service (hang) via a malformed minix file stream (CVE-2006-6058).
 
 An integer underflow in the Linux kernel prior to 2.6.23 allows remote
 attackers to cause a denial of service (crash) via a crafted SKB length
 value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
 flag is set (CVE-2007-4997).
 
 To update your kernel, please follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2008.0:
 5c1343b5d8ffdced8a3976f204f51525  
2008.0/i586/kernel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 35d9b9d32b2dea3ced31c287dc48e7b5  
2008.0/i586/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 a0f6e8a00bcb369f60b42eda0a31e9a4  
2008.0/i586/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 a2be11654f2b06d0579b6a3f5272c31a  
2008.0/i586/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 4ac1c0d45cd643dbea927050e0a4010a  
2008.0/i586/kernel-desktop-latest-2.6.22.12-1mdv2008.0.i586.rpm
 beac61f42065285b3b2f34212d52d8d0  
2008.0/i586/kernel-desktop586-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 eb5bc9029a09d92870d1b2e33410eadd  
2008.0/i586/kernel-desktop586-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 cb9ff0a7902a734e7f1378c46d2e024e  
2008.0/i586/kernel-desktop586-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 5640e6c9846abf1cffdbba58517bc4f3  
2008.0/i586/kernel-desktop586-latest-2.6.22.12-1mdv2008.0.i586.rpm
 f47fc0edd34149905ec9c979b365ea1e  
2008.0/i586/kernel-doc-2.6.22.12-1mdv2008.0.i586.rpm
 4281e10a6a2ea8d0eec91e5d4c7f4a97  
2008.0/i586/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 bf0cdddc00747ca1eac97596d110b2b0  
2008.0/i586/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 d8901cba80555234b45b7291966232f7  
2008.0/i586/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 fc3f4e82c13a8fe0a3d7c138a4242523  
2008.0/i586/kernel-laptop-latest-2.6.22.12-1mdv2008.0.i586.rpm
 4471d2e11e5814d6b00a92203eb624fd  
2008.0/i586/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 3fd2a0f03031e55e1fd688f18a111909  
2008.0/i586/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 60bebc8c572331ea54da8e2f2003d184  
2008.0/i586/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.i586.rpm
 3603a84dec2dd525aee503face0f5466  
2008.0/i586/kernel-server-latest-2.6.22.12-1mdv2008.0.i586.rpm
 0fdee78f39eb58e8ed656dc746247805  
2008.0/i586/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.i586.rpm
 68e878051bf3584e2544382ffe685d4f  
2008.0/i586/kernel-source-latest-2.6.22.12-1mdv2008.0.i586.rpm 
 666ec61a6b9f117b3a991bc0163b66a2  
2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 8a4670ea37e195b450780c65c1e848e1  
2008.0/x86_64/kernel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 d423ea385be4e43c2e3662faf02ec952  
2008.0/x86_64/kernel-desktop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 24d0752af597feb7d7df1ef0412010a4  
2008.0/x86_64/kernel-desktop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 61932b1d0078387f5212919776940e62  
2008.0/x86_64/kernel-desktop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 fff4298a795775460b87f2fe0b757d10  
2008.0/x86_64/kernel-desktop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 a32ef6a87dc4a8dd28b6a83b810de9ff  
2008.0/x86_64/kernel-doc-2.6.22.12-1mdv2008.0.x86_64.rpm
 80b7e690f462eaf2993595afd70c9de0  
2008.0/x86_64/kernel-laptop-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 7f6df46dd7a05574c001527a3341b28d  
2008.0/x86_64/kernel-laptop-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 efa087282b33923c354846909ec1585c  
2008.0/x86_64/kernel-laptop-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 a24374352a24ce5c9e9fbfaf9c7f130d  
2008.0/x86_64/kernel-laptop-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 7a078712aea92dc7ce3f36288e6126e8  
2008.0/x86_64/kernel-server-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 53876a6ab82a4eabecb97be39a256d9b  
2008.0/x86_64/kernel-server-devel-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 bc7dc1b24b0acf0f0a4c819a765bd6f6  
2008.0/x86_64/kernel-server-devel-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 915a90d1b7dfd1f1b443d77191d90dad  
2008.0/x86_64/kernel-server-latest-2.6.22.12-1mdv2008.0.x86_64.rpm
 7b9728978473981add1ab6f95272a3ac  
2008.0/x86_64/kernel-source-2.6.22.12-1mdv-1-1mdv2008.0.x86_64.rpm
 e5e79acce294760ba2250590efffbcb1  
2008.0/x86_64/kernel-source-latest-2.6.22.12-1mdv2008.0.x86_64.rpm 
 666ec61a6b9f117b3a991bc0163b66a2  
2008.0/SRPMS/kernel-2.6.22.12-1mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTalKmqjQ0CJFipgRAmuMAKC5vYuP+GWkDtVgvHdlonswXNInPACgt14z
xMNG7xobmmz9u/fFFl77ZFw=
=+r4e
-----END PGP SIGNATURE-----



------------------------------

Message: 8
Date: Wed, 28 Nov 2007 21:43:56 +0000
From: dev code <devcode29@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: reepex <reepex@xxxxxxxxx>, Rajesh Sethumadhavan
        <rajesh.sethumadhavan@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Message-ID: <BAY120-W6DF5E0453F3F1C567924FBE770@xxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"


lolerowned, kinda like the 20 other non exploitable stack overflow exceptions 
that someone else has been reporting on full disclosure
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex@xxxxxxxxx
To: rajesh.sethumadhavan@xxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow     
Vulnerability

so... what fuzzer that you didnt code did you use to find these amazing vulns?
 
Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'. You 
should not claim code execution when your code does not perform it.
 
Well I guess it has been good talking until your fuzzer crashes another 
application and you copy and paste the results

 
On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@xxxxxxxxx> wrote:
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################


XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported       : November 28th 2007
Credit                  : Rajesh Sethumadhavan

Class                   : Buffer Overflow

                         Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform       : Windows 2000 server

                         Windows 2000 Professional
                         Windows XP
                         (Other Versions may be also effected)

#####################################################################



Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the

"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of

logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the

Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.


Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir"  on specially crafted folder using microsoft ftp

client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt

http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Note: Modify POC to connect to lab FTP Server
     (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP

Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt

http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt



Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of

arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html


Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification

use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of

using the information or demonstrations provided in
any part of this advisory.



     
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page.

http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: 
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/587fa595/attachment-0001.html
 

------------------------------

Message: 9
Date: Wed, 28 Nov 2007 17:21:54 -0500
From: "Stan Bubrouski" <stan.bubrouski@xxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "dev code" <devcode29@xxxxxxxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID:
        <122827b90711281421u64663492jadd2b4d101d9fd45@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Not to mention the obvious fact that if you have to trick someone into
running a batch file then you could probably just tell the genius to
execute a special EXE you crafted for them.

-sb

On Nov 28, 2007 4:43 PM, dev code <devcode29@xxxxxxxxxxx> wrote:
>
>  lolerowned, kinda like the 20 other non exploitable stack overflow
> exceptions that someone else has been reporting on full disclosure
> ________________________________
> Date: Wed, 28 Nov 2007 09:11:30 -0600
> From: reepex@xxxxxxxxx
> To: rajesh.sethumadhavan@xxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
>
>
> so... what fuzzer that you didnt code did you use to find these amazing
> vulns?
>
> Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'. You
> should not claim code execution when your code does not perform it.
>
> Well I guess it has been good talking until your fuzzer crashes another
> application and you copy and paste the results
>
>
> On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@xxxxxxxxx> wrote:
> Microsoft FTP Client Multiple Bufferoverflow
> Vulnerability
>
> #####################################################################
>
> XDisclose Advisory      : XD100096
> Vulnerability Discovered: November 20th 2007
> Advisory Reported       : November 28th 2007
> Credit                  : Rajesh Sethumadhavan
>
> Class                   : Buffer Overflow
>                          Denial Of Service
> Solution Status         : Unpatched
> Vendor                  : Microsoft Corporation
> Affected applications   : Microsoft FTP Client
> Affected Platform       : Windows 2000 server
>                          Windows 2000 Professional
>                          Windows XP
>                          (Other Versions may be also effected)
>
> #####################################################################
>
>
> Overview:
> Bufferoverflow vulnerability is discovered in
> microsoft ftp client. Attackers can crash the ftp
> client of the victim user by tricking the user.
>
>
> Description:
> A remote attacker can craft packet with payload in the
> "mget", "ls", "dir", "username" and "password"
> commands as demonstrated below. When victim execute
> POC or specially crafted packets, ftp client will
> crash possible arbitrary code execution in contest of
> logged in user. This vulnerability is hard to exploit
> since it requires social engineering and shellcode has
> to be injected as argument in vulnerable commands.
>
> The vulnerability is caused due to an error in the
> Windows FTP client in validating commands like "mget",
> "dir", "user", password and "ls"
>
> Exploitation method:
>
> Method 1:
> -Send POC with payload to user.
> -Social engineer victim to open it.
>
> Method 2:
> -Attacker creates a directory with long folder or
> filename in his FTP server (should be other than IIS
> server)
> -Persuade victim to run the command "mget", "ls" or
> "dir"  on specially crafted folder using microsoft ftp
> client
> -FTP client will crash and payload will get executed
>
>
> Proof Of Concept:
> http://www.xdisclose.com/poc/mget.bat.txt
>  http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
> Note: Modify POC to connect to lab FTP Server
>      (As of now it will connect to
> ftp://xdisclose.com)
>
> Demonstration:
> Note: Demonstration leads to crashing of Microsoft FTP
> Client
>
> Download POC rename to .bat file and execute anyone of
> the batch file
> http://www.xdisclose.com/poc/mget.bat.txt
>  http://www.xdisclose.com/poc/username.bat.txt
> http://www.xdisclose.com/poc/directory.bat.txt
> http://www.xdisclose.com/poc/list.bat.txt
>
>
> Solution:
> No Solution
>
> Screenshot:
> http://www.xdisclose.com/images/msftpbof.jpg
>
>
> Impact:
> Successful exploitation may allows execution of
> arbitrary code with privilege of currently logged in
> user.
>
> Impact of the vulnerability is system level.
>
>
> Original Advisory:
> http://www.xdisclose.com/advisory/XD100096.html
>
> Credits:
> Rajesh Sethumadhavan has been credited with the
> discovery of this vulnerability
>
>
> Disclaimer:
> This entire document is strictly for educational,
> testing and demonstrating purpose only. Modification
> use and/or publishing this information is entirely on
> your own risk. The exploit code/Proof Of Concept is to
> be used on test environment only. I am not liable for
> any direct or indirect damages caused as a result of
> using the information or demonstrations provided in
> any part of this advisory.
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ________________________________
> Connect and share in new ways with Windows Live. Connect now!
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



------------------------------

Message: 10
Date: Wed, 28 Nov 2007 15:42:26 -0700
From: security@xxxxxxxxxxxx
Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package
        fixes buffer overflow and directory traversal vulnerabilities
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <E1IxVbu-0003g6-5Q@xxxxxxxxxxxxxxxxx>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:233
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : cpio
 Date    : November 28, 2007
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 88af30721a848b5fd4b3e26c5c055846  2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 fc1e32f7b528997237b392b1c1da9c3c  
2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 0814f474aa054b2b7fc92af6e1f5ba01  2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 851d9793b6f791817bc76b558f8fdd5b  
2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 a6747328c665be64979fee53f3878fdb  2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 953e95a47bb9a978aa1b98e1c7f56e65  
2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Corporate 3.0:
 4dfe1f2b387d396eca07927d65a77ce4  
corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  
corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 dc91afd2f8c7b93a95b898cc9a98182a  
corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  
corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 4.0:
 79936c67409d3889d7988fecfde649b5  
corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 
 593f22ed1a261614a1f0d45932b6c441  
corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 a32dd1c2fcb89b32dacd9c7f5d56acd7  
corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 
 593f22ed1a261614a1f0d45932b6c441  
corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 3abab72dae445f67c65d58f975f8816c  mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 
 2a1e733d240e05b2771c135ebcbca4d4  mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTcLbmqjQ0CJFipgRAge8AJ97m1vvl9hCXMm1D3Hf2ClJYpJVsgCgld5b
HziHEhmvMccwc97yrLEj3ps=
=QhpI
-----END PGP SIGNATURE-----



------------------------------

Message: 11
Date: Wed, 28 Nov 2007 16:19:53 -0700
From: security@xxxxxxxxxxxx
Subject: [Full-disclosure] [ MDKSA-2007:233 ] - Updated cpio package
        fixes buffer overflow and directory traversal vulnerabilities
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <E1IxWC9-000406-PP@xxxxxxxxxxxxxxxxx>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:233
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : cpio
 Date    : November 28, 2007
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Buffer overflow in the safer_name_suffix function in GNU cpio
 has unspecified attack vectors and impact, resulting in a crashing
 stack. This problem is originally found in tar, but affects cpio too,
 due to similar code fragments. (CVE-2007-4476)
 
 Directory traversal vulnerability in cpio 2.6 and earlier allows remote
 attackers to write to arbitrary directories via a .. (dot dot) in a
 cpio file. This is an old issue, affecting only Mandriva Corporate
 Server 4 and Mandriva Linux 2007. (CVE-2005-1229)
 
 Updated package fixes these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 88af30721a848b5fd4b3e26c5c055846  2007.0/i586/cpio-2.6-7.1mdv2007.0.i586.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 fc1e32f7b528997237b392b1c1da9c3c  
2007.0/x86_64/cpio-2.6-7.1mdv2007.0.x86_64.rpm 
 250697255ccc671ca2a01c2ba762aac6  2007.0/SRPMS/cpio-2.6-7.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 0814f474aa054b2b7fc92af6e1f5ba01  2007.1/i586/cpio-2.7-3.1mdv2007.1.i586.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 851d9793b6f791817bc76b558f8fdd5b  
2007.1/x86_64/cpio-2.7-3.1mdv2007.1.x86_64.rpm 
 7292ed206fa271c377cbe72577b42a0d  2007.1/SRPMS/cpio-2.7-3.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 a6747328c665be64979fee53f3878fdb  2008.0/i586/cpio-2.9-2.1mdv2008.0.i586.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 953e95a47bb9a978aa1b98e1c7f56e65  
2008.0/x86_64/cpio-2.9-2.1mdv2008.0.x86_64.rpm 
 de436966331be58abba226049bff8edf  2008.0/SRPMS/cpio-2.9-2.1mdv2008.0.src.rpm

 Corporate 3.0:
 4dfe1f2b387d396eca07927d65a77ce4  
corporate/3.0/i586/cpio-2.5-4.4.C30mdk.i586.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  
corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 dc91afd2f8c7b93a95b898cc9a98182a  
corporate/3.0/x86_64/cpio-2.5-4.4.C30mdk.x86_64.rpm 
 10e1e7fcb59c195b6f679b80e75fade0  
corporate/3.0/SRPMS/cpio-2.5-4.4.C30mdk.src.rpm

 Corporate 4.0:
 79936c67409d3889d7988fecfde649b5  
corporate/4.0/i586/cpio-2.6-5.1.20060mlcs4.i586.rpm 
 593f22ed1a261614a1f0d45932b6c441  
corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 a32dd1c2fcb89b32dacd9c7f5d56acd7  
corporate/4.0/x86_64/cpio-2.6-5.1.20060mlcs4.x86_64.rpm 
 593f22ed1a261614a1f0d45932b6c441  
corporate/4.0/SRPMS/cpio-2.6-5.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 3abab72dae445f67c65d58f975f8816c  mnf/2.0/i586/cpio-2.5-4.4.M20mdk.i586.rpm 
 2a1e733d240e05b2771c135ebcbca4d4  mnf/2.0/SRPMS/cpio-2.5-4.4.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHTfdRmqjQ0CJFipgRAiBcAJ9lW2Xb2u2NBqtF/Gfl90DlD3yXLgCg1atN
gTm4NWlU7BE5H/nvQQzHhgU=
=Fg/j
-----END PGP SIGNATURE-----



------------------------------

Message: 12
Date: Wed, 28 Nov 2007 18:34:47 -0500
From: "Peter Dawson" <slash.pd@xxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "Stan Bubrouski" <stan.bubrouski@xxxxxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID:
        <8f1f7b60711281534p554ccdb1mea0fd20826625658@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

Yeah ..

a) "Social engineer victim to open it."
b) "Persuade victim to run the command "

is kind funky..

On Nov 28, 2007 5:21 PM, Stan Bubrouski <stan.bubrouski@xxxxxxxxx> wrote:

> Not to mention the obvious fact that if you have to trick someone into
> running a batch file then you could probably just tell the genius to
> execute a special EXE you crafted for them.
>
> -sb
>
> On Nov 28, 2007 4:43 PM, dev code <devcode29@xxxxxxxxxxx> wrote:
> >
> >  lolerowned, kinda like the 20 other non exploitable stack overflow
> > exceptions that someone else has been reporting on full disclosure
> > ________________________________
> > Date: Wed, 28 Nov 2007 09:11:30 -0600
> > From: reepex@xxxxxxxxx
> > To: rajesh.sethumadhavan@xxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
> Bufferoverflow
> > Vulnerability
> >
> >
> >
> > so... what fuzzer that you didnt code did you use to find these amazing
> > vulns?
> >
> > Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'.
> You
> > should not claim code execution when your code does not perform it.
> >
> > Well I guess it has been good talking until your fuzzer crashes another
> > application and you copy and paste the results
> >
> >
> > On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@xxxxxxxxx>
> wrote:
> > Microsoft FTP Client Multiple Bufferoverflow
> > Vulnerability
> >
> > #####################################################################
> >
> > XDisclose Advisory      : XD100096
> > Vulnerability Discovered: November 20th 2007
> > Advisory Reported       : November 28th 2007
> > Credit                  : Rajesh Sethumadhavan
> >
> > Class                   : Buffer Overflow
> >                          Denial Of Service
> > Solution Status         : Unpatched
> > Vendor                  : Microsoft Corporation
> > Affected applications   : Microsoft FTP Client
> > Affected Platform       : Windows 2000 server
> >                          Windows 2000 Professional
> >                          Windows XP
> >                          (Other Versions may be also effected)
> >
> > #####################################################################
> >
> >
> > Overview:
> > Bufferoverflow vulnerability is discovered in
> > microsoft ftp client. Attackers can crash the ftp
> > client of the victim user by tricking the user.
> >
> >
> > Description:
> > A remote attacker can craft packet with payload in the
> > "mget", "ls", "dir", "username" and "password"
> > commands as demonstrated below. When victim execute
> > POC or specially crafted packets, ftp client will
> > crash possible arbitrary code execution in contest of
> > logged in user. This vulnerability is hard to exploit
> > since it requires social engineering and shellcode has
> > to be injected as argument in vulnerable commands.
> >
> > The vulnerability is caused due to an error in the
> > Windows FTP client in validating commands like "mget",
> > "dir", "user", password and "ls"
> >
> > Exploitation method:
> >
> > Method 1:
> > -Send POC with payload to user.
> > -Social engineer victim to open it.
> >
> > Method 2:
> > -Attacker creates a directory with long folder or
> > filename in his FTP server (should be other than IIS
> > server)
> > -Persuade victim to run the command "mget", "ls" or
> > "dir"  on specially crafted folder using microsoft ftp
> > client
> > -FTP client will crash and payload will get executed
> >
> >
> > Proof Of Concept:
> > http://www.xdisclose.com/poc/mget.bat.txt
> >  http://www.xdisclose.com/poc/username.bat.txt
> > http://www.xdisclose.com/poc/directory.bat.txt
> > http://www.xdisclose.com/poc/list.bat.txt
> >
> > Note: Modify POC to connect to lab FTP Server
> >      (As of now it will connect to
> > ftp://xdisclose.com)
> >
> > Demonstration:
> > Note: Demonstration leads to crashing of Microsoft FTP
> > Client
> >
> > Download POC rename to .bat file and execute anyone of
> > the batch file
> > http://www.xdisclose.com/poc/mget.bat.txt
> >  http://www.xdisclose.com/poc/username.bat.txt
> > http://www.xdisclose.com/poc/directory.bat.txt
> > http://www.xdisclose.com/poc/list.bat.txt
> >
> >
> > Solution:
> > No Solution
> >
> > Screenshot:
> > http://www.xdisclose.com/images/msftpbof.jpg
> >
> >
> > Impact:
> > Successful exploitation may allows execution of
> > arbitrary code with privilege of currently logged in
> > user.
> >
> > Impact of the vulnerability is system level.
> >
> >
> > Original Advisory:
> > http://www.xdisclose.com/advisory/XD100096.html
> >
> > Credits:
> > Rajesh Sethumadhavan has been credited with the
> > discovery of this vulnerability
> >
> >
> > Disclaimer:
> > This entire document is strictly for educational,
> > testing and demonstrating purpose only. Modification
> > use and/or publishing this information is entirely on
> > your own risk. The exploit code/Proof Of Concept is to
> > be used on test environment only. I am not liable for
> > any direct or indirect damages caused as a result of
> > using the information or demonstrations provided in
> > any part of this advisory.
> >
> >
> >
> >
> >
> ____________________________________________________________________________________
> > Never miss a thing.  Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > ________________________________
> > Connect and share in new ways with Windows Live. Connect now!
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/20532e89/attachment-0001.html
 

------------------------------

Message: 13
Date: Wed, 28 Nov 2007 17:56:41 -0600
From: reepex <reepex@xxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
        Bufferoverflow  Vulnerability
To: "Peter Dawson" <slash.pd@xxxxxxxxx>,
        full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID:
        <e9d9d4020711281556g6baf8a8xe228611349b6afb5@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

woah woah watch your words

many people on fd make their career based on 1) and 2) so dont diss them
unless you want to start an e-war

On 11/28/07, Peter Dawson <slash.pd@xxxxxxxxx> wrote:
>
> Yeah ..
>
> a) "Social engineer victim to open it."
> b) "Persuade victim to run the command "
>
> is kind funky..
>
> On Nov 28, 2007 5:21 PM, Stan Bubrouski < stan.bubrouski@xxxxxxxxx> wrote:
>
> > Not to mention the obvious fact that if you have to trick someone into
> > running a batch file then you could probably just tell the genius to
> > execute a special EXE you crafted for them.
> >
> > -sb
> >
> > On Nov 28, 2007 4:43 PM, dev code < devcode29@xxxxxxxxxxx> wrote:
> > >
> > >  lolerowned, kinda like the 20 other non exploitable stack overflow
> > > exceptions that someone else has been reporting on full disclosure
> > > ________________________________
> > > Date: Wed, 28 Nov 2007 09:11:30 -0600
> > > From: reepex@xxxxxxxxx
> > > To: rajesh.sethumadhavan@xxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
> > > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
> > Bufferoverflow
> > > Vulnerability
> > >
> > >
> > >
> > > so... what fuzzer that you didnt code did you use to find these
> > amazing
> > > vulns?
> > >
> > > Also nice 'payload'  in your exploits meaning 'nice long lists of
> > "a"s'. You
> > > should not claim code execution when your code does not perform it.
> > >
> > > Well I guess it has been good talking until your fuzzer crashes
> > another
> > > application and you copy and paste the results
> > >
> > >
> > > On 11/28/07, Rajesh Sethumadhavan < rajesh.sethumadhavan@xxxxxxxxx>
> > wrote:
> > > Microsoft FTP Client Multiple Bufferoverflow
> > > Vulnerability
> > >
> > > #####################################################################
> > >
> > > XDisclose Advisory      : XD100096
> > > Vulnerability Discovered: November 20th 2007
> > > Advisory Reported       : November 28th 2007
> > > Credit                  : Rajesh Sethumadhavan
> > >
> > > Class                   : Buffer Overflow
> > >                          Denial Of Service
> > > Solution Status         : Unpatched
> > > Vendor                  : Microsoft Corporation
> > > Affected applications   : Microsoft FTP Client
> > > Affected Platform       : Windows 2000 server
> > >                          Windows 2000 Professional
> > >                          Windows XP
> > >                          (Other Versions may be also effected)
> > >
> > > #####################################################################
> > >
> > >
> > > Overview:
> > > Bufferoverflow vulnerability is discovered in
> > > microsoft ftp client. Attackers can crash the ftp
> > > client of the victim user by tricking the user.
> > >
> > >
> > > Description:
> > > A remote attacker can craft packet with payload in the
> > > "mget", "ls", "dir", "username" and "password"
> > > commands as demonstrated below. When victim execute
> > > POC or specially crafted packets, ftp client will
> > > crash possible arbitrary code execution in contest of
> > > logged in user. This vulnerability is hard to exploit
> > > since it requires social engineering and shellcode has
> > > to be injected as argument in vulnerable commands.
> > >
> > > The vulnerability is caused due to an error in the
> > > Windows FTP client in validating commands like "mget",
> > > "dir", "user", password and "ls"
> > >
> > > Exploitation method:
> > >
> > > Method 1:
> > > -Send POC with payload to user.
> > > -Social engineer victim to open it.
> > >
> > > Method 2:
> > > -Attacker creates a directory with long folder or
> > > filename in his FTP server (should be other than IIS
> > > server)
> > > -Persuade victim to run the command "mget", "ls" or
> > > "dir"  on specially crafted folder using microsoft ftp
> > > client
> > > -FTP client will crash and payload will get executed
> > >
> > >
> > > Proof Of Concept:
> > > http://www.xdisclose.com/poc/mget.bat.txt
> > >  http://www.xdisclose.com/poc/username.bat.txt
> > > http://www.xdisclose.com/poc/directory.bat.txt
> > > http://www.xdisclose.com/poc/list.bat.txt
> > >
> > > Note: Modify POC to connect to lab FTP Server
> > >      (As of now it will connect to
> > > ftp://xdisclose.com)
> > >
> > > Demonstration:
> > > Note: Demonstration leads to crashing of Microsoft FTP
> > > Client
> > >
> > > Download POC rename to .bat file and execute anyone of
> > > the batch file
> > > http://www.xdisclose.com/poc/mget.bat.txt
> > >   http://www.xdisclose.com/poc/username.bat.txt
> > > http://www.xdisclose.com/poc/directory.bat.txt
> > > http://www.xdisclose.com/poc/list.bat.txt
> > >
> > >
> > > Solution:
> > > No Solution
> > >
> > > Screenshot:
> > > http://www.xdisclose.com/images/msftpbof.jpg
> > >
> > >
> > > Impact:
> > > Successful exploitation may allows execution of
> > > arbitrary code with privilege of currently logged in
> > > user.
> > >
> > > Impact of the vulnerability is system level.
> > >
> > >
> > > Original Advisory:
> > > http://www.xdisclose.com/advisory/XD100096.html
> > >
> > > Credits:
> > > Rajesh Sethumadhavan has been credited with the
> > > discovery of this vulnerability
> > >
> > >
> > > Disclaimer:
> > > This entire document is strictly for educational,
> > > testing and demonstrating purpose only. Modification
> > > use and/or publishing this information is entirely on
> > > your own risk. The exploit code/Proof Of Concept is to
> > > be used on test environment only. I am not liable for
> > > any direct or indirect damages caused as a result of
> > > using the information or demonstrations provided in
> > > any part of this advisory.
> > >
> > >
> > >
> > >
> > >
> > ____________________________________________________________________________________
> > > Never miss a thing.  Make Yahoo your home page.
> > > http://www.yahoo.com/r/hs
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> > > ________________________________
> > > Connect and share in new ways with Windows Live. Connect now!
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071128/f63ff9a4/attachment.html
 

------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 33, Issue 52
***********************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/