| New User, Welcome! Login |
Re[2]: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
| From: |
"Vladimir '3APA3A' Dubrovin" <3APA3A SECURITY NNOV RU> |
| To: |
Thierry Zoller <Thierry Zoller lu> |
| Cc: |
full-disclosure lists grok org uk, bugtraq securityfocus com |
| Subject: |
Re[2]: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday |
| Date: |
Mon - Aug 31, 2009 10:18 AM |
Dear Thierry Zoller,
I think yes, MKDIR is required. It should be variation of
S99-003/MS02-018. fuzzer should be very smart to create directory and
user both oversized buffer and ../ in NLST - it makes path longer than
MAX_PATH with existing directory.
--Monday, August 31, 2009, 8:21:12 PM, you wrote to full-disclosure@lists.grok.org.uk:
TZ> Confirmed.
TZ> Ask yourselves why your fuzzers haven't found that one - Combination of
TZ> MKDIR are required before reaching vuln code ?
--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
ÿ (. )
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
