RE: Directory Transversal

From: jfvanmeter@comcast.net
Date: Thu Oct 18 2007 - 08:49:14 EDT


Thanks Leo, that is good info.

I've already nofified the customer of the risk that reading a file, could cause a information leakage to a unauthorized user.
Testing has also reviled that no audit trail is created, even when NTFS Auditing for the file is configured, <----- Nice no way to track access

I've been continueing the test, to discover how much information I can compromise.

Take Care and Have Fun --John

 -------------- Original message ----------------------
From: "Walsh, Leo" <Leo_Walsh@jeffersonwells.com>
> Personally I'd take a slightly different route than trying to see if you
> can use the vulnerability to upload a file.
>
> 1) Can you execute programs like cmd.exe with this vulnerability?
> 2) Can you grab the backup SAM file?
>
> If I found a system that allowed either of these I'd stop testing and
> notify the project customer immediately. If either of those methods are
> allowed then it should be evidence enough that you could take control of
> the system if you wished to spend enough time on it. Proving the severe
> vulnerability and moving on shows to the client that you are wasting
> their time by playing around.
>
> If you really do wish to upload a file to the server then I'd check to
> see if you can execute cmd.exe and use it to search for files like
> upload.asp or even wget or ftp. There are also likely tools (I just
> don't know of any off the top of my head) that will allow you to open a
> reverse shell using cmd.exe on the target host.
>
> Please keep us updated with what you find and whether or not this is a
> custom web app or one that others might also see in their testing.
>
>
> -Leo Walsh, GSNA
> Jefferson Wells International
> 816-627-4222 (office)
> 913-484-8051 (cell)
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of jfvanmeter@comcast.net
> Sent: Wednesday, October 17, 2007 12:56 PM
> To: pen-test@securityfocus.com
> Subject: Directory Transversal
>
>
> Hello everyone, I'm in the middle of a test on a app that the following
> command works on
> http://mycomputer:port#/..//..//..//..//..//..//..//windows/win.ini
> and it will prompt me to save the file, if i check my packet capture I
> see the contents of the file.
>
> So far I've been unable to get a put or post command to work and was
> hoping to get some ideas from you all on things to try.
>
> I've been trying to get nc/telnet and some other tools to help me with
> the put comand
>
> Thanks in advance --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
> ******* Internet Email Confidentiality ******* The information
> contained in this message may be privileged and confidential and
> protected from disclosure. If the reader of this message is not the
> intended recipient, or an employee or agent responsible for
> delivering this message to the intended recipient, you are hereby
> notified that it is strictly prohibited (a) to disseminate,
> distribute or copy this communication or any of the information
> contained in it, or (b) to take any action based on the information
> in it. If you have received this communication in error, please
> notify us immediately by replying to the message and deleting it
> from your computer.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT