Dear Guido Landi, For DoS - yes, you can use existing file, but it's (almost) impossible to create reliable code excution exploit since you can not (fully) control return address, like required in JMP ESP technique used in this exploit. --Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx: GL> no, MKDIR is *not* required, also write access is *not* required. GL> Assuming a directory with a name that starts with "A" exists and that is GL> at least 14 chars long, this pattern will trigger the overflow: GL> NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n GL> At least on win2k3. Therefore, the workarounds for kb975191 on GL> microsoft.com are wrong. GL> Guido Landi GL> Vladimir '3APA3A' Dubrovin wrote: >> Dear Thierry Zoller, >> >> I think yes, MKDIR is required. It should be variation of >> S99-003/MS02-018. fuzzer should be very smart to create directory and >> user both oversized buffer and ../ in NLST - it makes path longer than >> MAX_PATH with existing directory. >> >> --Monday, August 31, 2009, 8:21:12 PM, you wrote to >> full-disclosure@xxxxxxxxxxxxxxxxx: >> >> >> TZ> Confirmed. >> >> TZ> Ask yourselves why your fuzzers haven't found that one - Combination of >> TZ> MKDIR are required before reaching vuln code ? >> >> >> >> >> GL> _______________________________________________ GL> Full-Disclosure - We believe in it. GL> Charter: http://lists.grok.org.uk/full-disclosure-charter.html GL> Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Есть там версии Отелло, где Дездемона душит Мавра. (Лем)
