[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

To: Thierry Zoller <Thierry@xxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
Date: Mon, 31 Aug 2009 21:04:18 +0400

Dear Thierry Zoller,

I   think   yes,   MKDIR   is   required.  It  should  be  variation  of
S99-003/MS02-018.  fuzzer  should  be very smart to create directory and
user  both  oversized buffer and ../ in NLST - it makes path longer than
MAX_PATH with existing directory.

--Monday, August 31, 2009, 8:21:12 PM, you wrote to 
full-disclosure@xxxxxxxxxxxxxxxxx:


TZ> Confirmed.

TZ> Ask  yourselves why your fuzzers haven't found that one - Combination of
TZ> MKDIR are required before reaching vuln code ?





-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Жало мне не понадобится (С. Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
  - From: Guido Landi

References:
- Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
  - From: Thierry Zoller

Prev by Date: Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
Next by Date: [Full-disclosure] [SECURITY] [DSA 1875-1] New ikiwiki packages fix information disclosure
Previous by thread: Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
Next by thread: Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
Index(es):
- Date
- Thread