Autor
Esta vulnerabilidad se basa en un desbordamiento de la memoria remoto donde un atacante puede engañar a una persona de conectarse al servidor FTP del atacante atraves del cliente FTP de Windows de la persona afectada pudiendo ejecutar comandos arbitrariamente con los derechos de la seción de la victima.
Esta vulnerabilidad ha sido probada en
Windows 2000 server
Windows 2000 Professional
Windows XP
La vulnerabilidad ha sido localizada dentro de los comandos "mget",
"dir", "user", "password" y "ls".
Fuentes:
http://seclists.org/bugtraq/2007/Nov/0397.html
http://www.xdisclose.com/advisory/XD100096.html
http://whk.h4ck1ng.net/2007-11.28/multiples-vulnerabilidades-en-microsoft-ftp-client/
Texto original:
Citar
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability
#####################################
XDisclose Advisory : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported : November 28th 2007
Credit : Rajesh Sethumadhavan
Class : Buffer Overflow
Denial Of Service
Solution Status : Unpatched
Vendor : Microsoft Corporation
Affected applications : Microsoft FTP Client
Affected Platform : Windows 2000 server
Windows 2000 Professional
Windows XP
(Other Versions may be also effected)
#####################################
Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.
Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.
The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"
Exploitation method:
Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.
Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir" on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed
Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt
Note: Modify POC to connect to lab FTP Server
(As of now it will connect to
http://ftp://xdisclose.com)
Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client
Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt
Solution:
No Solution
Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg
Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.
Impact of the vulnerability is system level.
Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html
Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability
Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.
Vulnerability
#####################################
XDisclose Advisory : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported : November 28th 2007
Credit : Rajesh Sethumadhavan
Class : Buffer Overflow
Denial Of Service
Solution Status : Unpatched
Vendor : Microsoft Corporation
Affected applications : Microsoft FTP Client
Affected Platform : Windows 2000 server
Windows 2000 Professional
Windows XP
(Other Versions may be also effected)
#####################################
Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.
Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.
The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"
Exploitation method:
Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.
Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir" on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed
Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt
Note: Modify POC to connect to lab FTP Server
(As of now it will connect to
http://ftp://xdisclose.com)
Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client
Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt
Solution:
No Solution
Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg
Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.
Impact of the vulnerability is system level.
Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html
Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability
Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.
En línea
