Google's Orkut Multiple Vulnerabilities

Microsoft FTP Client Multiple Bufferoverflow Vulnerability

#####################################################################

XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Released	:
Credit                  : Rajesh Sethumadhavan

Class	                : Buffer Overflow
                          Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform 	: Windows 2000 server
			  Windows 2000 Professional
			  Windows XP
			  (Other Versions may be also effected)
			  
Securityreason ID	: 3398

#####################################################################


Overview:
Bufferoverflow vulnerability is discovered in microsoft ftp client.
Attackers can crash the ftp client of the victim user by tricking the
user.


Description:
A remote attacker can craft packet with payload in the "mget", "ls",
"dir", "username" and "password" commands as demonstrated below. When
victim execute POC or specially crafted packets, ftp client will crash
possible arbitrary code execution in contest of logged in user. This 
vulnerability is hard to exploit since it requires social engineering
and shellcode has to be injected as argument in vulnerable commands. 

The vulnerability is caused due to an error in the Windows FTP client
in validating commands like "mget", "dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or filename with payload 
 in his FTP server (should be other than IIS server)
-Persuade victim to run the command "mget", "ls" or "dir"  on specially
 crafted folder using microsoft ftp client.
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat
http://www.xdisclose.com/poc/username.bat
http://www.xdisclose.com/poc/directory.bat
http://www.xdisclose.com/poc/list.bat

Note: Modify POC to connect to lab FTP Server
      (Now it will connect to ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP Client

Download POC and execute anyone of the batch file
http://www.xdisclose.com/poc/mget.bat
http://www.xdisclose.com/poc/username.bat
http://www.xdisclose.com/poc/directory.bat
http://www.xdisclose.com/poc/list.bat


Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of arbitrary code with
privilege of currently logged in user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability


Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code/Proof Of
Concept is to be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.