yak212.txt

yak212.txt: Posted Oct 26, 2004; Authored by Luigi Auriemma | Site aluigi.altervista.org; Yak! versions 2.1.2 and below suffer from remote directory traversal and arbitrary file upload vulnerabilities.; tags | exploit, remote, arbitrary, vulnerability, file upload; SHA-256 | e9eca6add7ddbd7ddf31c47cc1614f574b9a113f384abf9d9a64091993ae4fca; Download | Favorite | View

yak212.txt


#######################################################################

                             Luigi Auriemma

Application:  Yak!
              http://www.digicraft.com.au/yak/
Versions:     <= 2.1.2
Platforms:    Windows
Bug:          directory traversal (upload)
Exploitation: remote
Date:         15 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Yak! is a serverless chat system for Windows that lets people to chat
and to exchange files.


#######################################################################

======
2) Bug
======


When the program starts it creates an username and password for each
IP address of the computer's network interfaces.
These login informations are needed to grant the access to the built-in
FTP server (used only to receive files) to other Yak! hosts.

The problem is just in this FTP server because the input of the clients
is not filtered so is possible to upload files everywhere in the disk
on which is located the upload directory of Yak! (by default the system's
temporary folder) overwriting those existent.

Naturally is also possible to see any remote directory and file (but
seems only c: can be surfed also if the upload folder is set on another
disk) while download is avoided by the program because it has been
designed to receive files only.


#######################################################################

===========
3) The Code
===========


Do the following operations:

Download my "Yak! username and password calculator"
http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the
username and password to access to the FTP server of a specific Yak!
host.

Then connect to the Yak! FTP port, usually 3535:

 C:\>ftp
 ftp> open HOST 3535

Enter the calculated username and password and upload your files like
in the following example:

 dir /
 dir ../../windows/

 put
   evil.exe
   ../../windows/calc.exe

(slash and backslash have the same effect)


#######################################################################

======
4) Fix
======


No fix.
Vendor has been contacted exactly one month ago but no patch is
available.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Top Authors In Last 30 Days

Red Hat 227 files
indoushka 150 files
Jay Turla 150 files
Ubuntu 64 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,136)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,775)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

yak212.txt

yak212.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

yak212.txt

Share This

yak212.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems