Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Marc Maiffret (marcEEYE.COM)
Date: Fri Feb 16 2001 - 07:21:30 CST
This isn't a "high risk" vulnerability or even a low risk one. Actually most
of the ftp.exe discussions that have been happening on this list lately have
not even been anything worth while other then a lot of blibbering about, o
ya i got it to work on mine to but bla bla [insert ignorance here] bla bla.
Client side vulnerabilities are great _IF_ you can force a client to perform
the overflow or what not.
For example a buffer overflow in Winamp is not a big deal unless you can
force a client to be overflow. A way of doing that would be to send them a
Winamp .wsz (skin file) that has a buffer overflow in it. The .wsz extension
is automatically ran by windows, and loaded into winamp, so if you sent it
in an eMail you could (most likely) make it auto execute via a html refresh
or even just say <a href="britney.wsz"> Click here for Britney Spears Porn!
</a> and b00m. That's all just a theory bla bla but its an example.
A client side "vulnerability" where the client has to type in random
commands to ftp.exe or have things placed in their profile (which they are
then screwed anyways) is not something overly worthwhile.
Chief Hacking Officer
eCompany / eEye
| -----Original Message-----
| From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf Of
| Antti Hakulinen
| Sent: Friday, February 16, 2001 5:05 PM
| To: VULN-DEVSECURITYFOCUS.COM
| Subject: Re: WIN2K security bug with FTP. Bug allows any file to be
| deleted from the remote system.
| Ofcourse I know that i crashed my ftp.exe program, not the server.
| The program to be used is got to be ms ftp.exe.
| I tried this remotely from RedHat 6.0, i couldn't reproduce it.
| Like i said before, it is a FTP.EXE "Feature" :).
| My apologies if any misunderstanding happened.
| Yes. The file therefore ofcourse is deleted by the ftp.exe not the server,
| but it doesn't matter.
| In any way, it is still high security risk.
| I will test it remotely with win2k's FTP.EXE right away so we get to know
| will it work.
| I'm 99% sure that i can reproduce it remotely.
| Will be mailing results soon.......
| Regards: Antti....
| ----- Original Message -----
| From: "3APA3A" <3APA3ASECURITY.NNOV.RU>
| To: "Antti Hakulinen" <thpoDREAMTHEATER.ZZN.COM>
| Cc: <VULN-DEVSECURITYFOCUS.COM>
| Sent: Friday, February 16, 2001 11:57 AM
| Subject: Re: WIN2K security bug with FTP. Bug allows any file to
| be deleted
| from the remote system.
| > Hello Antti,
| > Friday, February 16, 2001, 1:53:46 AM, you wrote:
| > AH> This little " ms feature" allows anyfile on your system to
| be deleted.
| This applies at least Win2k build 2195 servicepack 1 & latest updates.
| > AH> Using the GET command like this.
| > <skipped>
| > AH> App: ftp.exe (pid=824)
| > <skipped>
| > AH> Otherwise, better not to be using w2k as FTP server.
| > You have dumped your ftp client, not server. The file is also probably
| > deleted by FTP client, not server. If so, this is not security issue.
| > Try to check this issue remotely.
| > --
| > /3APA3A
| > Вечная память святому Патрику! (Твен)