[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

Dear Thierry Zoller,

I   think   yes,   MKDIR   is   required.  It  should  be  variation  of
S99-003/MS02-018.  fuzzer  should  be very smart to create directory and
user  both  oversized buffer and ../ in NLST - it makes path longer than
MAX_PATH with existing directory.

--Monday, August 31, 2009, 8:21:12 PM, you wrote to full-disclosure@xxxxxxxxxxxxxxxxx:

TZ> Confirmed.

TZ> Ask  yourselves why your fuzzers haven't found that one - Combination of
TZ> MKDIR are required before reaching vuln code ?

Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Жало мне не понадобится (С. Лем)