SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Yak! Vendors:   Digicraft Software
Yak! Chat Directory Travesal Flaw Lets Remote Users Upload Files to Arbitrary Locations
SecurityTracker Alert ID:  1011708
SecurityTracker URL:  http://securitytracker.com/id/1011708
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 15 2004
Impact:   Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 2.1.2 and prior versions
Description:   Luigi Auriemma reported a vulnerability in Yak! A remote user can upload files to the target user's system.

It is reported that the chat server's FTP service allows a remote authenticated user to change directories using the '../' directory traversal characters. Then, the remote authenticated user can upload files to the selected directory.

A demonstration exploit is provided:

dir /
dir ../../windows/

put
evil.exe
../../windows/calc.exe

A remote user can determine the required username and password for the target system. A demonstration exploit script for determining the username and password on a Yak! host is available at:

http://aluigi.altervista.org/papers/yakcalc.zip

The vendor was notified on September 15, 2004.

[Editor's note: The directory traversal flaw was reported by 'bil' in Alert ID 1007694 in September 2003, affecting version 2.0.1. However, that report did not indicate that files could be uploaded.]

Impact:   A remote user can upload files to arbitrary locations on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.digicraft.com.au/yak/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Directory traversal in Yak! 2.1.2



#######################################################################

                             Luigi Auriemma

Application:  Yak!
              http://www.digicraft.com.au/yak/
Versions:     <= 2.1.2
Platforms:    Windows
Bug:          directory traversal (upload)
Exploitation: remote
Date:         15 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Yak! is a serverless chat system for Windows that lets people to chat
and to exchange files.


#######################################################################

======
2) Bug
======


When the program starts it creates an username and password for each
IP address of the computer's network interfaces.
These login informations are needed to grant the access to the built-in
FTP server (used only to receive files) to other Yak! hosts.

The problem is just in this FTP server because the input of the clients
is not filtered so is possible to upload files everywhere in the disk
on which is located the upload directory of Yak! (by default the system's
temporary folder) overwriting those existent.

Naturally is also possible to see any remote directory and file (but
seems only c: can be surfed also if the upload folder is set on another
disk) while download is avoided by the program because it has been
designed to receive files only.


#######################################################################

===========
3) The Code
===========


Do the following operations:

Download my "Yak! username and password calculator"
http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the
username and password to access to the FTP server of a specific Yak!
host.

Then connect to the Yak! FTP port, usually 3535:

 C:\>ftp
 ftp> open HOST 3535

Enter the calculated username and password and upload your files like
in the following example:

 dir /
 dir ../../windows/

 put
   evil.exe
   ../../windows/calc.exe

(slash and backslash have the same effect)


#######################################################################

======
4) Fix
======


No fix.
Vendor has been contacted exactly one month ago but no patch is
available.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC