Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Yak! Directory Traversal Bug

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Yak! Directory Traversal Bug
Date: 18 Oct 2004 10:10:42 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Yak! Directory Traversal Bug
------------------------------------------------------------------------


SUMMARY

 <http://www.digicraft.com.au/yak/> Yak! is a "text-based, chat 
application for use on Microsoft Windows 32-bit local area networks. It 
has a simple and easy to use interface, does not require a dedicated 
server, and makes communicating across a LAN a dream. Use Yak! at home to 
chat with family and friends, or in the work place to improve 
productivity."

An unfiltered input path used to upload files into the built-in FTP server 
found in Yak! enables an attacker to upload any file, anywhere on the 
system.

DETAILS

Vulnerable Systems:
 * Yak! version 2.1.2

When the program starts it creates a username and password for each IP 
address of the computer's network interfaces. These login informations are 
needed to grant the access to the built-in FTP server (used only to 
receive files) to other Yak! hosts.

The problem lies in the fact that the FTP server code does not properly 
filter the paths used by clients, enabling them to upload files everywhere 
on the system. Using this bug it is also possible to browse the entire 
drive where the temporary directory is present. However, since the 
built-in FTP server found in Yak! was designed to only receive files, 
there is no way to download arbitrary files from the system.

Proof of concept:
Connect to the Yak! FTP port, usually 3535:

 C:\>ftp
 ftp> open HOST 3535

Enter the calculated username and password and upload your files like
in the following example:

 dir /
 dir ../../windows/

 put
   evil.exe
   ../../windows/calc.exe

(slash and backslash have the same effect)


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Yak! Directory Traversal Bug, SecuriTeam <=
Previous by Date:  [NT] Microsoft Excel Length Parameter Parsing Buffer Overflow Vulnerability, SecuriTeam
Next by Date:  [NT] Flash Messaging Server Crash, SecuriTeam
Previous by Thread:  [NT] Microsoft Excel Length Parameter Parsing Buffer Overflow Vulnerability, SecuriTeam
Next by Thread:  [NT] Flash Messaging Server Crash, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]