Re: Directory traversal in Yak! 2.1.2
In-Reply-To: <20041015193318.3257e4eb.aluigi@xxxxxxxxxxxxx>
===========================================================================
in a previous post i reported this issue.
http://www.securityfocus.com/bid/8581/
http://cert.uni-stuttgart.de/archive/bugtraq/2003/11/msg00222.html
i'm NOT sure if the PUT commands works perfectly. coz with the versions i
played with, i couldnt upload files succesfully
and a password calculator is'nt required to know the passwords. just a little
sniffer would reveal the username and password clearly.
===========================================================================
>Received: (qmail 30088 invoked from network); 15 Oct 2004 19:53:23 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com)
>(205.206.231.27)
> by mail.securityfocus.com with SMTP; 15 Oct 2004 19:53:23 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 9C45C236F8D; Fri, 15 Oct 2004 11:23:39 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 4069 invoked from network); 15 Oct 2004 11:14:25 -0000
>Date: Fri, 15 Oct 2004 19:33:18 +0000
>From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx,
> news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx,
> vuln@xxxxxxxxxxx
>Subject: Directory traversal in Yak! 2.1.2
>Message-Id: <20041015193318.3257e4eb.aluigi@xxxxxxxxxxxxx>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at autistici.org
>
>
>#######################################################################
>
> Luigi Auriemma
>
>Application: Yak!
> http://www.digicraft.com.au/yak/
>Versions: <= 2.1.2
>Platforms: Windows
>Bug: directory traversal (upload)
>Exploitation: remote
>Date: 15 October 2004
>Author: Luigi Auriemma
> e-mail: aluigi@xxxxxxxxxxxxxx
> web: http://aluigi.altervista.org
>
>
>#######################################################################
>
>
>1) Introduction
>2) Bug
>3) The Code
>4) Fix
>
>
>#######################################################################
>
>===============
>1) Introduction
>===============
>
>
>Yak! is a serverless chat system for Windows that lets people to chat
>and to exchange files.
>
>
>#######################################################################
>
>======
>2) Bug
>======
>
>
>When the program starts it creates an username and password for each
>IP address of the computer's network interfaces.
>These login informations are needed to grant the access to the built-in
>FTP server (used only to receive files) to other Yak! hosts.
>
>The problem is just in this FTP server because the input of the clients
>is not filtered so is possible to upload files everywhere in the disk
>on which is located the upload directory of Yak! (by default the system's
>temporary folder) overwriting those existent.
>
>Naturally is also possible to see any remote directory and file (but
>seems only c: can be surfed also if the upload folder is set on another
>disk) while download is avoided by the program because it has been
>designed to receive files only.
>
>
>#######################################################################
>
>===========
>3) The Code
>===========
>
>
>Do the following operations:
>
>Download my "Yak! username and password calculator"
>http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the
>username and password to access to the FTP server of a specific Yak!
>host.
>
>Then connect to the Yak! FTP port, usually 3535:
>
> C:\>ftp
> ftp> open HOST 3535
>
>Enter the calculated username and password and upload your files like
>in the following example:
>
> dir /
> dir ../../windows/
>
> put
> evil.exe
> ../../windows/calc.exe
>
>(slash and backslash have the same effect)
>
>
>#######################################################################
>
>======
>4) Fix
>======
>
>
>No fix.
>Vendor has been contacted exactly one month ago but no patch is
>available.
>
>
>#######################################################################
>
>
>---
>Luigi Auriemma
>http://aluigi.altervista.org
>
>