[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Directory traversal in Yak! 2.1.2

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Directory traversal in Yak! 2.1.2
From: bil <bil_912@xxxxxxxxxxxxx>
Date: 16 Oct 2004 10:26:09 -0000
In-Reply-To: <20041015193318.3257e4eb.aluigi@xxxxxxxxxxxxx>

===========================================================================
in a previous post i reported this issue.
http://www.securityfocus.com/bid/8581/
http://cert.uni-stuttgart.de/archive/bugtraq/2003/11/msg00222.html

i'm NOT sure if the PUT commands works perfectly. coz with the versions i 
played with, i couldnt upload files succesfully

and a password calculator is'nt required to know the passwords. just a little 
sniffer would reveal the username and password clearly.
===========================================================================


>Received: (qmail 30088 invoked from network); 15 Oct 2004 19:53:23 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) 
>(205.206.231.27)
>  by mail.securityfocus.com with SMTP; 15 Oct 2004 19:53:23 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 9C45C236F8D; Fri, 15 Oct 2004 11:23:39 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 4069 invoked from network); 15 Oct 2004 11:14:25 -0000
>Date: Fri, 15 Oct 2004 19:33:18 +0000
>From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx,
>       news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx,
>       vuln@xxxxxxxxxxx
>Subject: Directory traversal in Yak! 2.1.2
>Message-Id: <20041015193318.3257e4eb.aluigi@xxxxxxxxxxxxx>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at autistici.org
>
>
>#######################################################################
>
>                             Luigi Auriemma
>
>Application:  Yak!
>              http://www.digicraft.com.au/yak/
>Versions:     <= 2.1.2
>Platforms:    Windows
>Bug:          directory traversal (upload)
>Exploitation: remote
>Date:         15 October 2004
>Author:       Luigi Auriemma
>              e-mail: aluigi@xxxxxxxxxxxxxx
>              web:    http://aluigi.altervista.org
>
>
>#######################################################################
>
>
>1) Introduction
>2) Bug
>3) The Code
>4) Fix
>
>
>#######################################################################
>
>===============
>1) Introduction
>===============
>
>
>Yak! is a serverless chat system for Windows that lets people to chat
>and to exchange files.
>
>
>#######################################################################
>
>======
>2) Bug
>======
>
>
>When the program starts it creates an username and password for each
>IP address of the computer's network interfaces.
>These login informations are needed to grant the access to the built-in
>FTP server (used only to receive files) to other Yak! hosts.
>
>The problem is just in this FTP server because the input of the clients
>is not filtered so is possible to upload files everywhere in the disk
>on which is located the upload directory of Yak! (by default the system's
>temporary folder) overwriting those existent.
>
>Naturally is also possible to see any remote directory and file (but
>seems only c: can be surfed also if the upload folder is set on another
>disk) while download is avoided by the program because it has been
>designed to receive files only.
>
>
>#######################################################################
>
>===========
>3) The Code
>===========
>
>
>Do the following operations:
>
>Download my "Yak! username and password calculator"
>http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the
>username and password to access to the FTP server of a specific Yak!
>host.
>
>Then connect to the Yak! FTP port, usually 3535:
>
> C:\>ftp
> ftp> open HOST 3535
>
>Enter the calculated username and password and upload your files like
>in the following example:
>
> dir /
> dir ../../windows/
>
> put
>   evil.exe
>   ../../windows/calc.exe
>
>(slash and backslash have the same effect)
>
>
>#######################################################################
>
>======
>4) Fix
>======
>
>
>No fix.
>Vendor has been contacted exactly one month ago but no patch is
>available.
>
>
>#######################################################################
>
>
>--- 
>Luigi Auriemma
>http://aluigi.altervista.org
>
>
Prev by Date: Re: [IE 6 SP2] Possible URL Spoofing
Next by Date: Re: EEYE: Windows VDM #UD Local Privilege Escalation
Previous by thread: Directory traversal in Yak! 2.1.2
Next by thread: Eudora 6.2.0.7 attachment spoof
Index(es):
- Date
- Thread