Lucene search
K

yak212.txt

🗓️ 26 Oct 2004 00:00:00Reported by Luigi AuriemmaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 21 Views

Yak! chat system vulnerability allows directory traversal exploit for file upload on Windows systems.

Code
`  
#######################################################################  
  
Luigi Auriemma  
  
Application: Yak!  
http://www.digicraft.com.au/yak/  
Versions: <= 2.1.2  
Platforms: Windows  
Bug: directory traversal (upload)  
Exploitation: remote  
Date: 15 October 2004  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
Yak! is a serverless chat system for Windows that lets people to chat  
and to exchange files.  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
When the program starts it creates an username and password for each  
IP address of the computer's network interfaces.  
These login informations are needed to grant the access to the built-in  
FTP server (used only to receive files) to other Yak! hosts.  
  
The problem is just in this FTP server because the input of the clients  
is not filtered so is possible to upload files everywhere in the disk  
on which is located the upload directory of Yak! (by default the system's  
temporary folder) overwriting those existent.  
  
Naturally is also possible to see any remote directory and file (but  
seems only c: can be surfed also if the upload folder is set on another  
disk) while download is avoided by the program because it has been  
designed to receive files only.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
Do the following operations:  
  
Download my "Yak! username and password calculator"  
http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the  
username and password to access to the FTP server of a specific Yak!  
host.  
  
Then connect to the Yak! FTP port, usually 3535:  
  
C:\>ftp  
ftp> open HOST 3535  
  
Enter the calculated username and password and upload your files like  
in the following example:  
  
dir /  
dir ../../windows/  
  
put  
evil.exe  
../../windows/calc.exe  
  
(slash and backslash have the same effect)  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix.  
Vendor has been contacted exactly one month ago but no patch is  
available.  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.altervista.org  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation