exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jul 4, 2003
Authored by Hernan Ochoa, Gustavo Ajzenman, Javier Garcia Di Palma, Pablo Rubinstein | Site coresecurity.com

Core Security Technologies Advisory ID: CORE-2003-0305-04 - Windows NetMeeting is vulnerable to a directory traversal attack that allows remote arbitrary code execution. Vulnerable version: NetMeeting 3.01 (4.4.3385), possibly others. Fixed in Service Pack 4.

tags | exploit, remote, arbitrary, code execution
systems | windows
SHA-256 | 37573598836434eb829a0bd11e8ad4eae7fa6d4cbf8c3647e8d0168be675a1ea


Change Mirror Download
                         Core Security Technologies Advisory

NetMeeting Directory Traversal Vulnerability

Date Published: 2003-07-02

Last Update: 2003-07-02

Advisory ID: CORE-2003-0305-04

Bugtraq ID: 7931

CVE Name: None currently assigned.

Title: NetMeeting Directory Traversal Vulnerability

Class: Input validation error

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL:

Vendors contacted:
- Microsoft
. Core Notification: 2003-05-21
. Notification acknowledged by Microsoft: 2003-05-21
. Issue fixed in Windows 2000 SP4: 2003-06-26


*Vulnerability Description:*

Windows NetMeeting is a popular application used to hold audio and video
conferences between a group of persons. One of its features is "File
Transfer" which lets you send one or more files in the background
during a NetMeeting conference.

A directory traversal vulnerability was found in NetMeeting when
doing File Transfers. An attacker can use filenames containing "..\..\"
when doing a file transfer, and in this manner, create a file in any
place of the victim's filesystem, escaping the directory where
NetMeeting usually stores incoming files (e.g. C:\Program Files\
Received\Received Files).

This makes it possible to force the execution of arbitrary code on
vulnerable systems.

*Vulnerable Packages:*

NetMeeting version 3.01 (4.4.3385).
Other versions may also be vulnerable.

*Solution/Vendor Information/Workaround:*

A fix for this issue is included in Windows 2000 SP4 and Windows XP SP1
available from:

Windows 2000 Service Pack 4

Windows XP (Professional and Home edition) Service Pack 1

Windows Server 2003 does not ship with a vulnerable version of NetMeeting.


This vulnerability was found by HernĂ¡n Ochoa, Gustavo Ajzenman, Javier
Garcia Di Palma and Pablo Rubinstein from Core Security Technologies
during Bugweek 2003 (March 3-7, 2003).

*Technical Description - Exploit/Concept Code:*

We have found a directory traversal vulnerability in NetMeeting when
doing File Transfers. An attacker can use filenames containing "..\..\"
when doing a file transfer, and in this manner, create a file in any
place of the victim's filesystem, escaping the directory where
NetMeeting usually stores incoming files (e.g.: C:\Program
Files\Received\Received Files). An attacker cannot overwrite already
existing files.

A dialog box appears at the end of the file transfer, which can alert
the user about the malicious action (the dialog box will not be
automatically closed). However, the user is not prompted to reject or
accept the file transfer, and since NetMeeting conferences can be
shutdown by sending malformed packets (for example, by arbitrarily
fuzzing data sent in packets interchanged during a chat conversation),
the action can be hidden from the user. We're also investigating certain
succession of packets that may prevent the dialog box from appearing
at all.

How to reproduce this vulnerability:

- Start a NetMeeting conversation between two peers
- Click on the "Transfer Files" button
- Click on the "Add Files..." button and choose any file
(e.g.: example_example_example.txt)
- Attach a debugger to the NetMeeting process (conf.exe) and put a
breakpoint on ws2_32!send
(e.g.: ntsd -p <conf's pid> / bp send )
- Click on the "Send All" button
- The breakpoint set on ws2_32!send() will start popping up.
- Examine the stack, and obtain the address of the buffer sent to the
send() function, and examine its content
- Look for the packet containing the name of the file being sent
(e.g.: example_example_example.txt)
- You're going to find two packets containing the filename, modify both
packets with the debugger so that example_example_example.txt becomes
- Let the process continue both times, and let the file transfer
- Now you can go to the root directory of the drive, and you'll see
the file sent there instead of the "Received Files" directory.

Of course, a debugger is not needed to exploit the vulnerability, it is
just a convenient way to reproduce the vulnerability.

We also found that by sending malformed packets in several different
moments during a connection, all participants or a specific
participant can be thrown out of the conversation. This is not a big
issue per se, but it could help to hide malicious actions as the one
described above (one can send the file, and immediately after, make the
victim's NetMeeting drop the connection, which will make the dialog
box of the file transfer disappear.)

This vulnerability allows an attacker to execute arbitrary code.
For instance, she can upload a specially crafted DLL with the name of
one of the DLL's used by NetMeeting into the NetMeeting directory.
The next time NetMeeting is executed, the system will try to load
these DLL's first from the current directory, and then from
C:\winnt\system32. So the system will load the attacker's DLL and
execute arbitrary code upon the next execution of NetMeeting.
Another possibility is to upload an executable file into the
startup directory of win9x. That file will be executed the next
time the user starts win9x.

*About Core Security Technologies*

Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information

Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive penetration
testing framework, visit:


The contents of this advisory are copyright (c) 2003 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.

$Id: NetMeeting-advisory.txt,v 1.11 2003/07/02 15:45:46 carlos Exp $

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By