Security Advisory 06 – 039 – The VSAOD server allows unauthenticated arbitrary file overwrites
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability during an application assessment.
Further research was then carried out post assessment.
Credit for Discovery:
Tim Brown – Portcullis Computer Security Ltd.
All known versions of Audit, this vulnerability was discovered for version 126.96.36.199.
It is possible to set the log file name on the remote VSAOD server using the following unauthenticated exchange:
client> LOG.[filename] server> Logfile set to: [filename]
Since the VSAOD server typically runs as SYSTEM it is possible to overwrite any file on the system. This can be used by an attacker to write additional ASP into web pages, commands to a batch file or to corrupt files on the system.
Exploit code is not required.
e-mailed – 16th January 2007
e-mailed – 26th February 2007
e-mailed – 15th March 2007