[NT] Yak! Directory Traversal Bug
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 18 Oct 2004 10:10:42 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Yak! Directory Traversal Bug
<http://www.digicraft.com.au/yak/> Yak! is a "text-based, chat
application for use on Microsoft Windows 32-bit local area networks. It
has a simple and easy to use interface, does not require a dedicated
server, and makes communicating across a LAN a dream. Use Yak! at home to
chat with family and friends, or in the work place to improve
An unfiltered input path used to upload files into the built-in FTP server
found in Yak! enables an attacker to upload any file, anywhere on the
* Yak! version 2.1.2
When the program starts it creates a username and password for each IP
address of the computer's network interfaces. These login informations are
needed to grant the access to the built-in FTP server (used only to
receive files) to other Yak! hosts.
The problem lies in the fact that the FTP server code does not properly
filter the paths used by clients, enabling them to upload files everywhere
on the system. Using this bug it is also possible to browse the entire
drive where the temporary directory is present. However, since the
built-in FTP server found in Yak! was designed to only receive files,
there is no way to download arbitrary files from the system.
Proof of concept:
Connect to the Yak! FTP port, usually 3535:
ftp> open HOST 3535
Enter the calculated username and password and upload your files like
in the following example:
(slash and backslash have the same effect)
The information has been provided by <mailto:email@example.com> Luigi
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.