Vulnerability Development mailing list archives
Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system.
From: Marc Maiffret <marc () EEYE COM>
Date: Sun, 18 Feb 2001 09:16:58 -0800
<snip> | > Client side vulnerabilities are great _IF_ you can force a | > client to perform | > the overflow or what not. | > A client side "vulnerability" where the client has to type in random | > commands to ftp.exe or have things placed in their profile | > (which they are | > then screwed anyways) is not something overly worthwhile. | | What about situations where one is capable of gaining access to a machine | via unicode or any other known/unknown vuln that does not give one system | access, and then utilising this in conjunction with the above to | cause more | havoc? So you break into an IIS server via FrontPage, Unicode, whatever it is... and then you overflow ftp.exe (which was spawned by your user under your privilege (IUSR_ for example) and then you overflow it... you will then be executing code with the same privilege so what's the point? Now, if you were to take a local exploit, like an overflow in .asp files, and use Unicode to write that .asp file to the hard drive and then request the .asp file remotely, http://example.com/bob.asp to cause an overflow (which since .asp is going to be processed in inetinfo.exe you'll be SYSTEM) then yes that local exploit, which typically would mean nothing, is then a valid threat. Read http://www.eeye.com/html/Advisories/IISHack1.5.html for a "proof in concept" that myself and Ryan Permeh put together. Using Unicode and an overflow in ASP. | Take care, | Andrew | - | Andrew Thomas | office: +27 21 4889820 | facsimile: +27 21 4889830 | mobile: +27 82 7850166 | "One trend that bothers me is the glorification of | stupidity, that the media is reassuring people it's | alright not to know anything. That to me is far more | dangerous than a little pornography on the Internet." | - Carl Sagan Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com
Current thread:
- Re: WIN2K security bug with FTP. Bug allows any file to be delete d from the remote system. Andrew Thomas (Feb 18)
- Re: WIN2K security bug with FTP. Bug allows any file to be deleted from the remote system. Marc Maiffret (Feb 18)