Full Disclosure mailing list archives

Re: Microsoft Internet Information Server ftpd zeroday

From: Vladimir '3APA3A' Dubrovin <3APA3A () SECURITY NNOV RU>
Date: Mon, 31 Aug 2009 21:04:18 +0400

Dear Thierry Zoller,

I   think   yes,   MKDIR   is   required.  It  should  be  variation  of
S99-003/MS02-018.  fuzzer  should  be very smart to create directory and
user  both  oversized buffer and ../ in NLST - it makes path longer than
MAX_PATH with existing directory.

--Monday, August 31, 2009, 8:21:12 PM, you wrote to full-disclosure () lists grok org uk:


TZ> Confirmed.

TZ> Ask  yourselves why your fuzzers haven't found that one - Combination of
TZ> MKDIR are required before reaching vuln code ?





-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Жало мне не понадобится (С. Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Microsoft Internet Information Server ftpd zeroday Kingcope (Aug 31)
- Re: Microsoft Internet Information Server ftpd zeroday Thierry Zoller (Aug 31)
  - Re: Microsoft Internet Information Server ftpd zeroday Vladimir '3APA3A' Dubrovin (Aug 31)
- Re: Microsoft Internet Information Server ftpd zeroday Kingcope (Aug 31)