Hi Kingcope,
Thanks to a hint by Petar on the G-SEC blog [1] it appears
that the very same bug was present in IIS3 and IIS4 and discovered
by eeye in 1999 :
http://research.eeye.com/html/advisories/published/AD19990124.html
Microsoft IIS (Internet Information Server) FTP service contains a
no, MKDIR is *not* required, also write access is *not* required.
Assuming a directory with a name that starts with A exists and that is
at least 14 chars long, this pattern will trigger the overflow:
NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n
At least on win2k3. Therefore,
Dear Guido Landi,
For DoS - yes, you can use existing file, but it's (almost) impossible
to create reliable code excution exploit since you can not (fully)
control return address, like required in JMP ESP technique used in this
exploit.
--Wednesday, September 2, 2009, 12:33:47 PM, you
Dear Vladimir,
almost is often enough :)
btw, it was about triggering the vuln, not about exploiting it.
Guido Landi
Vladimir '3APA3A' Dubrovin wrote:
Dear Guido Landi,
For DoS - yes, you can use existing file, but it's (almost) impossible
to create reliable code excution exploit
Confirmed.
Ask yourselves why your fuzzers haven't found that one - Combination of
MKDIR are required before reaching vuln code ?
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter:
Dear Thierry Zoller,
I think yes, MKDIR is required. It should be variation of
S99-003/MS02-018. fuzzer should be very smart to create directory and
user both oversized buffer and ../ in NLST - it makes path longer than
MAX_PATH with existing directory.
--Monday, August 31,
Hello list,
I have to clarify some things on the globbing vulnerability here.
The posted PoC (with the fine art) does NOT exploit IIS6 ftp servers,
IIS6 ftp server IS affected by the buffer overflow but is properly protected
by stack canaries. AFAIK it looks like a DoS on Windows Server 2003.
why would anyone write a 0day with...
# bug found exploited by Kingcope, kcope2atgooglemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
... then plaster it all over the internet? have you forgotten what
you, yourself wrote?
if you guys really wanna
Nice find Kingcope,
As Thierry mentioned it, i guess it was a pain to find it, nice one as
always, your finding rocks.
Cheers
2009/8/31 r1d1nd1rty r1d1nd1...@hush.com
why would anyone write a 0day with...
# bug found exploited by Kingcope, kcope2atgooglemail.com
# Affects IIS6 with stack
