Bugtraq mailing list archives
Multiple win32 servers vulnerable to DoS (OS matter)
From: ByteRage <byterage () yahoo com>
Date: Tue, 31 Jul 2001 07:54:56 -0700 (PDT)
Multiple win32 servers vulnerable to DoS (OS matter) AFFECTED SYSTEMS Windows 98 (first edition) *with* CON\CON kernel patch by MicroSoft. Although this is an OS matter, here are some affected ftp server programs I have found : BisonFTP V4R1 Broker FTP Server 5.9.5.0 G6 FTP Server v2.15 (AKA BulletProof FTP Server) GuildFTPD 0.922 SurgeFTP 2.0f WarFTPD 1.71 WFTPD 3.00 R5 ... The AUX read bug has already been discussed by neme-dhc for Xitami webserver & Small http server and there maybe also other advisories out there, but most of them seem to regard these bugs as originating from the server software, which is not the case. IMMUNE SYSTEMS ArGoSoft FTP Server 1.2.2.2 Serv-U FTP Server version 3.0 ... DESCRIPTION On the tested win98 system, when programs accessed the AUX device for reading, CPU usage increased to 100%, and in most cases the computer would completely freeze. Sometimes server software had filtering to prevent 'downloading' (GET) the AUX device, but this filtering can easily be circumvented by referring to the device as AUX. (with a trailing dot, or maybe appending an extension like AUX.FOO or by randomly appending dots & spaces (AUX. . .. ... .. .)). Serv-U FTP version 3.0 & ArGoSoft FTP Server 1.2.2.2 were the only server program that were immune to attack even with the trickery, so they must be filtering out devices using API calls, which is a good idea from a security standpoint. -=-=-=- Another issue, which has already been discussed by 3APA3A for win32 archivers, is the accessibility of devices under win32 platforms. This can also be demonstrated on FTP server software : PUT C:\AUTOEXEC.BAT PRN.F00 prints out your autoexec.bat on the remote machine's printer (mostly you'll need FTP write access) (you might want to append a Form Feed character (0Ch) to the file, otherwise some printers won't start) Sometimes you can also read small bits & pieces of memory by downloading $MMXXXX0 & EMMXXXX0. ==================================================== [ByteRage] byterage () yahoo com [www.byterage.cjb.net] ==================================================== __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Current thread:
- Multiple win32 servers vulnerable to DoS (OS matter) ByteRage (Jul 31)
- <Possible follow-ups>
- Re: Multiple win32 servers vulnerable to DoS (OS matter) bjarne bingo (Jul 31)