From what I've noticed, users of MS' FTP client aren't the usual Windows GUI user. So that would be one good social engineering trick...
Original Message: ------------------------------------------------ > Date: Wed, 28 Nov 2007 18:34:47 -0500 > From: "Peter Dawson" <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple > Bufferoverflow Vulnerability > To: "Stan Bubrouski" <[EMAIL PROTECTED]> > Cc: [email protected] > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="utf-8" > > Yeah .. > > a) "Social engineer victim to open it." > b) "Persuade victim to run the command " > > is kind funky.. > > On Nov 28, 2007 5:21 PM, Stan Bubrouski <[EMAIL PROTECTED]> wrote: > > > Not to mention the obvious fact that if you have to trick someone into > > running a batch file then you could probably just tell the genius to > > execute a special EXE you crafted for them. > > > > -sb > > > > On Nov 28, 2007 4:43 PM, dev code <[EMAIL PROTECTED]> wrote: >> > > >> > > lolerowned, kinda like the 20 other non exploitable stack overflow >> > > exceptions that someone else has been reporting on full disclosure >> > > ________________________________ >> > > Date: Wed, 28 Nov 2007 09:11:30 -0600 >> > > From: [EMAIL PROTECTED] >> > > To: [EMAIL PROTECTED]; [email protected] >> > > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple > > Bufferoverflow >> > > Vulnerability >> > > >> > > >> > > >> > > so... what fuzzer that you didnt code did you use to find these amazing >> > > vulns? >> > > >> > > Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. > > You >> > > should not claim code execution when your code does not perform it. >> > > >> > > Well I guess it has been good talking until your fuzzer crashes another >> > > application and you copy and paste the results >> > > >> > > >> > > On 11/28/07, Rajesh Sethumadhavan <[EMAIL PROTECTED]> > > wrote: >> > > Microsoft FTP Client Multiple Bufferoverflow >> > > Vulnerability >> > > >> > > ##################################################################### >> > > >> > > XDisclose Advisory : XD100096 >> > > Vulnerability Discovered: November 20th 2007 >> > > Advisory Reported : November 28th 2007 >> > > Credit : Rajesh Sethumadhavan >> > > >> > > Class : Buffer Overflow >> > > Denial Of Service >> > > Solution Status : Unpatched >> > > Vendor : Microsoft Corporation >> > > Affected applications : Microsoft FTP Client >> > > Affected Platform : Windows 2000 server >> > > Windows 2000 Professional >> > > Windows XP >> > > (Other Versions may be also effected) >> > > >> > > ##################################################################### >> > > >> > > >> > > Overview: >> > > Bufferoverflow vulnerability is discovered in >> > > microsoft ftp client. Attackers can crash the ftp >> > > client of the victim user by tricking the user. >> > > >> > > >> > > Description: >> > > A remote attacker can craft packet with payload in the >> > > "mget", "ls", "dir", "username" and "password" >> > > commands as demonstrated below. When victim execute >> > > POC or specially crafted packets, ftp client will >> > > crash possible arbitrary code execution in contest of >> > > logged in user. This vulnerability is hard to exploit >> > > since it requires social engineering and shellcode has >> > > to be injected as argument in vulnerable commands. >> > > >> > > The vulnerability is caused due to an error in the >> > > Windows FTP client in validating commands like "mget", >> > > "dir", "user", password and "ls" >> > > >> > > Exploitation method: >> > > >> > > Method 1: >> > > -Send POC with payload to user. >> > > -Social engineer victim to open it. >> > > >> > > Method 2: >> > > -Attacker creates a directory with long folder or >> > > filename in his FTP server (should be other than IIS >> > > server) >> > > -Persuade victim to run the command "mget", "ls" or >> > > "dir" on specially crafted folder using microsoft ftp >> > > client >> > > -FTP client will crash and payload will get executed >> > > >> > > >> > > Proof Of Concept: >> > > http://www.xdisclose.com/poc/mget.bat.txt >> > > http://www.xdisclose.com/poc/username.bat.txt >> > > http://www.xdisclose.com/poc/directory.bat.txt >> > > http://www.xdisclose.com/poc/list.bat.txt >> > > >> > > Note: Modify POC to connect to lab FTP Server >> > > (As of now it will connect to >> > > ftp://xdisclose.com) >> > > >> > > Demonstration: >> > > Note: Demonstration leads to crashing of Microsoft FTP >> > > Client >> > > >> > > Download POC rename to .bat file and execute anyone of >> > > the batch file >> > > http://www.xdisclose.com/poc/mget.bat.txt >> > > http://www.xdisclose.com/poc/username.bat.txt >> > > http://www.xdisclose.com/poc/directory.bat.txt >> > > http://www.xdisclose.com/poc/list.bat.txt >> > > >> > > >> > > Solution: >> > > No Solution >> > > >> > > Screenshot: >> > > http://www.xdisclose.com/images/msftpbof.jpg >> > > >> > > >> > > Impact: >> > > Successful exploitation may allows execution of >> > > arbitrary code with privilege of currently logged in >> > > user. >> > > >> > > Impact of the vulnerability is system level. >> > > >> > > >> > > Original Advisory: >> > > http://www.xdisclose.com/advisory/XD100096.html >> > > >> > > Credits: >> > > Rajesh Sethumadhavan has been credited with the >> > > discovery of this vulnerability >> > > >> > > >> > > Disclaimer: >> > > This entire document is strictly for educational, >> > > testing and demonstrating purpose only. Modification >> > > use and/or publishing this information is entirely on >> > > your own risk. The exploit code/Proof Of Concept is to >> > > be used on test environment only. I am not liable for >> > > any direct or indirect damages caused as a result of >> > > using the information or demonstrations provided in >> > > any part of this advisory. >> > > >> > > >> > > >> > > >> > > > > ____________________________________________________________________________________ >> > > Never miss a thing. Make Yahoo your home page. >> > > http://www.yahoo.com/r/hs >> > > >> > > _______________________________________________ >> > > Full-Disclosure - We believe in it. >> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > > Hosted and sponsored by Secunia - http://secunia.com/ >> > > >> > > >> > > ________________________________ >> > > Connect and share in new ways with Windows Live. Connect now! >> > > _______________________________________________ >> > > Full-Disclosure - We believe in it. >> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > > Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
