[NT] Yak! File Transfer Mechanism Exposes System To Compromise
From: SecuriTeam (support_at_securiteam.com)
Date: 09/16/03
- Previous message: SecuriTeam: "[NEWS] Gordano Messaging Suite - Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Sep 2003 16:23:53 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Yak! File Transfer Mechanism Exposes System To Compromise
------------------------------------------------------------------------
SUMMARY
<http://www.digicraft.com.au/yak/> Yak! is "a text-based, chat
application for use on Microsoft Windows 32-bit local area networks. It
has a simple and easy to use interface, does not require a dedicated
server, and makes communicating across a LAN a dream. Use Yak! at home to
chat with family and friends, or in the work place to improve
productivity".
Yak! provides a file transfer mechanism that is uses an FTP server to
transfer files between hosts, the FTP server uses a default username and
password (that cannot be changed). The default username and password can
be used to access the whole operating system under which the Yak! is
installed under without any constraints.
DETAILS
Vulnerable systems:
* Yak! version 2.0.1
Yak! supports file transfers, the default port that the file transfer
mechanism uses is TCP port 3535. If a connection is made to port 3535, the
following banner will appear:
" 220 ICS FTP Server ready. "
The FTP server's default username is Yak and default password is asd123.
Once they are entered via a normal FTP client, unlimited access can be
obtained to the machine where Yak! is installed.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bil_912@coolgoose.com> bil.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Gordano Messaging Suite - Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
