Re: Serv-U 2.5i DoS

[Steven Bates <Craig () POP3 FREENET DE>]

Hi everybody!

First of all I have to say that I am very sorry for writing back that late,
but I have been busy learning for school all the time - I had to pass some
important exams.

I want to answer Ishay's questions now:

> Was the flooding done in remote? if so what was the connection speed between
> the 2 computers?
Yes, the flooding was done remotely. The Connection speed was 10Mbit, but I do
not think it's just because of the bandwidth. When I caneled the flooder
before Win shows the "90% of mem used" message Serv-U only showed about
8-10Kbps of traffic per second.

> And, is it possible that the resources usage was high due to messages being
> printed to console screen of the servu?
Well, that's the point. I think it might be some sloppy coding in the window,
yea...I am not to sure what exactly causes this behaviour, that's why I sent
the mail just to vuln-dev and not to bugtraq.
I'd like to test it on the internet, too, but I did (and do) not want to DoS
someone's server off the net...
Well, I am pretty sure that there is a bug in Serv-U - if it does not work on
the net, it will at least work in a local network (I tested it several times
in mine).

[Craig]
http://www.HaQuarter.De


> ----My-Original Message-----
> From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
> Steven, Bates
> Sent: Sunday, February 25, 2001 4:55 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Serv-U 2.5i DoS
>
>
> Hi, I think I found another DoS issue in Serv-U 2.5i:
>
> I've downloaded the "Fixed" version of Serv-U yesterday. I
> installed it on one
> of my pc's and started %windir%\RSRCMTR.EXE to see how many
> resources are used
> when I flood it. Then I started to play around with the server:
>
> Ftp> open server
> Connected to server.
> 220 Serv-U FTP-Server v2.5i for WinSock ready...
>
> I coded a little java application which flooded the server
> with 0x00 chars,
> but at least that bug was fixed.
> So I tried other chars and found out, that 0xff was a good choice. The
> application just sends out 0xff chars in a never ending loop
> (I added a
> Counter to see how much chars are needed to block/crash it).
>
>  char nuke=0xff;
>  int Counter=0;
>
>  while(true)
>   {
>    sout.print(nuke);
>    Counter++;
>    if(Counter%10000==0)
>     System.out.println(Counter+" 0xff sent");
>   }
>
>
> I started it, and the resources got lower and lower. When
> about 290000 0xff
> chars were sent, there was a popup (I am sure every Win9x
> user saw it once)
> which said that 90% of the resources were already used, and
> that some programs
> should be closed. I tried to click the "OK" button, but the
> popup did not
> react. I also noticed that the mouse cursor was moving
> strange... I tried to
> login from an other pc:
>
> Ftp>open Server
> Connected to server.
> Connection closed by remote host.
>
> but as you can see, it did not work - the connection closed
> after the timeout.
> Then I stopped the java application with STRG-C, the resource
> icon became
> green, the popup dissappeared (it finally noticed that I had
> clicked on it)
> and the server was working fine again.
>
> While writing this, I was testing the flooder, but after
> seeing the popup on
> the screen, I forgot to stop the flooder. When I finally
> noticed that, I
> stopped it - it had already sent about 2,5 Million 0xff chars
> to the server. I
> tried to connect to the ftpd, but I couldn't - I was connected and
> immediatley(!) disconnected. I tested it again, but this only
> works sometimes,
> i have now idea why.
>
> I do not know why the server acts like this, but this issue
> should really
> should be fixed.
>
> !! THE FLOODER DOES NOT WORK, IF THE SERV-U ICON IS JUST IN
> THE TRAY, YOU NEED
> TO SEE THE LOGGING SCREEN !!
> !! I was only able to repoduce this behaviour on Win95, on
> Win98 it did not
> seem to do anything !!
>
>
> [Craig]
> http://www.HaQuarter.De/