Bugtraq mailing list archives
Re: Directory traversal in Yak! 2.1.2
From: bil <bil_912 () coolgoose com>
Date: 16 Oct 2004 10:26:09 -0000
In-Reply-To: <20041015193318.3257e4eb.aluigi () autistici org> =========================================================================== in a previous post i reported this issue. http://www.securityfocus.com/bid/8581/ http://cert.uni-stuttgart.de/archive/bugtraq/2003/11/msg00222.html i'm NOT sure if the PUT commands works perfectly. coz with the versions i played with, i couldnt upload files succesfully and a password calculator is'nt required to know the passwords. just a little sniffer would reveal the username and password clearly. ===========================================================================
Received: (qmail 30088 invoked from network); 15 Oct 2004 19:53:23 -0000 Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) by mail.securityfocus.com with SMTP; 15 Oct 2004 19:53:23 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 9C45C236F8D; Fri, 15 Oct 2004 11:23:39 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 4069 invoked from network); 15 Oct 2004 11:14:25 -0000 Date: Fri, 15 Oct 2004 19:33:18 +0000 From: Luigi Auriemma <aluigi () autistici org> To: bugtraq () securityfocus com, bugs () securitytracker com, news () securiteam com, full-disclosure () lists netsys com, vuln () secunia com Subject: Directory traversal in Yak! 2.1.2 Message-Id: <20041015193318.3257e4eb.aluigi () autistici org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at autistici.org ####################################################################### Luigi Auriemma Application: Yak! http://www.digicraft.com.au/yak/ Versions: <= 2.1.2 Platforms: Windows Bug: directory traversal (upload) Exploitation: remote Date: 15 October 2004 Author: Luigi Auriemma e-mail: aluigi () altervista org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Yak! is a serverless chat system for Windows that lets people to chat and to exchange files. ####################################################################### ====== 2) Bug ====== When the program starts it creates an username and password for each IP address of the computer's network interfaces. These login informations are needed to grant the access to the built-in FTP server (used only to receive files) to other Yak! hosts. The problem is just in this FTP server because the input of the clients is not filtered so is possible to upload files everywhere in the disk on which is located the upload directory of Yak! (by default the system's temporary folder) overwriting those existent. Naturally is also possible to see any remote directory and file (but seems only c: can be surfed also if the upload folder is set on another disk) while download is avoided by the program because it has been designed to receive files only. ####################################################################### =========== 3) The Code =========== Do the following operations: Download my "Yak! username and password calculator" http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the username and password to access to the FTP server of a specific Yak! host. Then connect to the Yak! FTP port, usually 3535: C:\>ftp ftp> open HOST 3535 Enter the calculated username and password and upload your files like in the following example: dir / dir ../../windows/ put evil.exe ../../windows/calc.exe (slash and backslash have the same effect) ####################################################################### ====== 4) Fix ====== No fix. Vendor has been contacted exactly one month ago but no patch is available. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org
Current thread:
- Directory traversal in Yak! 2.1.2 Luigi Auriemma (Oct 15)
- <Possible follow-ups>
- Re: Directory traversal in Yak! 2.1.2 bil (Oct 18)