Dear Vladimir, "almost" is often enough :) btw, it was about triggering the vuln, not about exploiting it. Guido Landi Vladimir '3APA3A' Dubrovin wrote: > Dear Guido Landi, > > For DoS - yes, you can use existing file, but it's (almost) impossible > to create reliable code excution exploit since you can not (fully) > control return address, like required in JMP ESP technique used in this > exploit. > > --Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx: > > GL> no, MKDIR is *not* required, also write access is *not* required. > > GL> Assuming a directory with a name that starts with "A" exists and that is > GL> at least 14 chars long, this pattern will trigger the overflow: > > > GL> NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n > > > GL> At least on win2k3. Therefore, the workarounds for kb975191 on > GL> microsoft.com are wrong. > > > > GL> Guido Landi > > GL> Vladimir '3APA3A' Dubrovin wrote: >>> Dear Thierry Zoller, >>> >>> I think yes, MKDIR is required. It should be variation of >>> S99-003/MS02-018. fuzzer should be very smart to create directory and >>> user both oversized buffer and ../ in NLST - it makes path longer than >>> MAX_PATH with existing directory. >>> >>> --Monday, August 31, 2009, 8:21:12 PM, you wrote to >>> full-disclosure@xxxxxxxxxxxxxxxxx: >>> >>> >>> TZ> Confirmed. >>> >>> TZ> Ask yourselves why your fuzzers haven't found that one - Combination of >>> TZ> MKDIR are required before reaching vuln code ? >>> >>> >>> >>> >>> > > GL> _______________________________________________ > GL> Full-Disclosure - We believe in it. > GL> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > GL> Hosted and sponsored by Secunia - http://secunia.com/ > >
