Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability

[reepex <reepex () gmail com>]

woah woah watch your words

many people on fd make their career based on 1) and 2) so dont diss them
unless you want to start an e-war

On 11/28/07, Peter Dawson <slash.pd () gmail com> wrote:
> Yeah ..
>
> a) "Social engineer victim to open it."
> b) "Persuade victim to run the command "
>
> is kind funky..
>
> On Nov 28, 2007 5:21 PM, Stan Bubrouski < stan.bubrouski () gmail com> wrote:
>
> > Not to mention the obvious fact that if you have to trick someone into
> > running a batch file then you could probably just tell the genius to
> > execute a special EXE you crafted for them.
> >
> > -sb
> >
> > On Nov 28, 2007 4:43 PM, dev code < devcode29 () hotmail com> wrote:
> > >  lolerowned, kinda like the 20 other non exploitable stack overflow
> > > exceptions that someone else has been reporting on full disclosure
> > > ________________________________
> > > Date: Wed, 28 Nov 2007 09:11:30 -0600
> > > From: reepex () gmail com
> > > To: rajesh.sethumadhavan () yahoo com ; full-disclosure () lists grok org uk
> > > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
> > Bufferoverflow
> > > Vulnerability
> > >
> > >
> > >
> > > so... what fuzzer that you didnt code did you use to find these
> > amazing
> > > vulns?
> > >
> > > Also nice 'payload'  in your exploits meaning 'nice long lists of
> > "a"s'. You
> > > should not claim code execution when your code does not perform it.
> > >
> > > Well I guess it has been good talking until your fuzzer crashes
> > another
> > > application and you copy and paste the results
> > >
> > >
> > > On 11/28/07, Rajesh Sethumadhavan < rajesh.sethumadhavan () yahoo com>
> > wrote:
> > > Microsoft FTP Client Multiple Bufferoverflow
> > > Vulnerability
> > >
> > > #####################################################################
> > >
> > > XDisclose Advisory      : XD100096
> > > Vulnerability Discovered: November 20th 2007
> > > Advisory Reported       : November 28th 2007
> > > Credit                  : Rajesh Sethumadhavan
> > >
> > > Class                   : Buffer Overflow
> > >                          Denial Of Service
> > > Solution Status         : Unpatched
> > > Vendor                  : Microsoft Corporation
> > > Affected applications   : Microsoft FTP Client
> > > Affected Platform       : Windows 2000 server
> > >                          Windows 2000 Professional
> > >                          Windows XP
> > >                          (Other Versions may be also effected)
> > >
> > > #####################################################################
> > >
> > >
> > > Overview:
> > > Bufferoverflow vulnerability is discovered in
> > > microsoft ftp client. Attackers can crash the ftp
> > > client of the victim user by tricking the user.
> > >
> > >
> > > Description:
> > > A remote attacker can craft packet with payload in the
> > > "mget", "ls", "dir", "username" and "password"
> > > commands as demonstrated below. When victim execute
> > > POC or specially crafted packets, ftp client will
> > > crash possible arbitrary code execution in contest of
> > > logged in user. This vulnerability is hard to exploit
> > > since it requires social engineering and shellcode has
> > > to be injected as argument in vulnerable commands.
> > >
> > > The vulnerability is caused due to an error in the
> > > Windows FTP client in validating commands like "mget",
> > > "dir", "user", password and "ls"
> > >
> > > Exploitation method:
> > >
> > > Method 1:
> > > -Send POC with payload to user.
> > > -Social engineer victim to open it.
> > >
> > > Method 2:
> > > -Attacker creates a directory with long folder or
> > > filename in his FTP server (should be other than IIS
> > > server)
> > > -Persuade victim to run the command "mget", "ls" or
> > > "dir"  on specially crafted folder using microsoft ftp
> > > client
> > > -FTP client will crash and payload will get executed
> > >
> > >
> > > Proof Of Concept:
> > > http://www.xdisclose.com/poc/mget.bat.txt
> > >  http://www.xdisclose.com/poc/username.bat.txt
> > > http://www.xdisclose.com/poc/directory.bat.txt
> > > http://www.xdisclose.com/poc/list.bat.txt
> > >
> > > Note: Modify POC to connect to lab FTP Server
> > >      (As of now it will connect to
> > > ftp://xdisclose.com)
> > >
> > > Demonstration:
> > > Note: Demonstration leads to crashing of Microsoft FTP
> > > Client
> > >
> > > Download POC rename to .bat file and execute anyone of
> > > the batch file
> > > http://www.xdisclose.com/poc/mget.bat.txt
> > >   http://www.xdisclose.com/poc/username.bat.txt
> > > http://www.xdisclose.com/poc/directory.bat.txt
> > > http://www.xdisclose.com/poc/list.bat.txt
> > >
> > >
> > > Solution:
> > > No Solution
> > >
> > > Screenshot:
> > > http://www.xdisclose.com/images/msftpbof.jpg
> > >
> > >
> > > Impact:
> > > Successful exploitation may allows execution of
> > > arbitrary code with privilege of currently logged in
> > > user.
> > >
> > > Impact of the vulnerability is system level.
> > >
> > >
> > > Original Advisory:
> > > http://www.xdisclose.com/advisory/XD100096.html
> > >
> > > Credits:
> > > Rajesh Sethumadhavan has been credited with the
> > > discovery of this vulnerability
> > >
> > >
> > > Disclaimer:
> > > This entire document is strictly for educational,
> > > testing and demonstrating purpose only. Modification
> > > use and/or publishing this information is entirely on
> > > your own risk. The exploit code/Proof Of Concept is to
> > > be used on test environment only. I am not liable for
> > > any direct or indirect damages caused as a result of
> > > using the information or demonstrations provided in
> > > any part of this advisory.
> > ____________________________________________________________________________________
> > > Never miss a thing.  Make Yahoo your home page.
> > > http://www.yahoo.com/r/hs
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> > > ________________________________
> > > Connect and share in new ways with Windows Live. Connect now!
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/