Vulnerability Development mailing list archives
Re: Serv-U 2.5i DoS
From: Steven Bates <Craig () POP3 FREENET DE>
Date: Mon, 5 Mar 2001 06:22:36 -0700
Hi everybody! First of all I have to say that I am very sorry for writing back that late, but I have been busy learning for school all the time - I had to pass some important exams. I want to answer Ishay's questions now:
Was the flooding done in remote? if so what was the connection speed between the 2 computers?
Yes, the flooding was done remotely. The Connection speed was 10Mbit, but I do not think it's just because of the bandwidth. When I caneled the flooder before Win shows the "90% of mem used" message Serv-U only showed about 8-10Kbps of traffic per second.
And, is it possible that the resources usage was high due to messages being printed to console screen of the servu?
Well, that's the point. I think it might be some sloppy coding in the window, yea...I am not to sure what exactly causes this behaviour, that's why I sent the mail just to vuln-dev and not to bugtraq. I'd like to test it on the internet, too, but I did (and do) not want to DoS someone's server off the net... Well, I am pretty sure that there is a bug in Serv-U - if it does not work on the net, it will at least work in a local network (I tested it several times in mine). [Craig] http://www.HaQuarter.De
----My-Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Steven, Bates Sent: Sunday, February 25, 2001 4:55 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Serv-U 2.5i DoS Hi, I think I found another DoS issue in Serv-U 2.5i: I've downloaded the "Fixed" version of Serv-U yesterday. I installed it on one of my pc's and started %windir%\RSRCMTR.EXE to see how many resources are used when I flood it. Then I started to play around with the server: Ftp> open server Connected to server. 220 Serv-U FTP-Server v2.5i for WinSock ready... I coded a little java application which flooded the server with 0x00 chars, but at least that bug was fixed. So I tried other chars and found out, that 0xff was a good choice. The application just sends out 0xff chars in a never ending loop (I added a Counter to see how much chars are needed to block/crash it). char nuke=0xff; int Counter=0; while(true) { sout.print(nuke); Counter++; if(Counter%10000==0) System.out.println(Counter+" 0xff sent"); } I started it, and the resources got lower and lower. When about 290000 0xff chars were sent, there was a popup (I am sure every Win9x user saw it once) which said that 90% of the resources were already used, and that some programs should be closed. I tried to click the "OK" button, but the popup did not react. I also noticed that the mouse cursor was moving strange... I tried to login from an other pc: Ftp>open Server Connected to server. Connection closed by remote host. but as you can see, it did not work - the connection closed after the timeout. Then I stopped the java application with STRG-C, the resource icon became green, the popup dissappeared (it finally noticed that I had clicked on it) and the server was working fine again. While writing this, I was testing the flooder, but after seeing the popup on the screen, I forgot to stop the flooder. When I finally noticed that, I stopped it - it had already sent about 2,5 Million 0xff chars to the server. I tried to connect to the ftpd, but I couldn't - I was connected and immediatley(!) disconnected. I tested it again, but this only works sometimes, i have now idea why. I do not know why the server acts like this, but this issue should really should be fixed. !! THE FLOODER DOES NOT WORK, IF THE SERV-U ICON IS JUST IN THE TRAY, YOU NEED TO SEE THE LOGGING SCREEN !! !! I was only able to repoduce this behaviour on Win95, on Win98 it did not seem to do anything !! [Craig] http://www.HaQuarter.De/
Current thread:
- Re: Serv-U 2.5i DoS Steven Bates (Mar 06)
- Just a Notice: AudioFind.Com (Defaced=Exploit) Lennard-Peter Abdun-Noor Sutherland (Mar 06)
- Re: Just a Notice: AudioFind.Com (Defaced=Exploit) Barry Russell (Mar 06)
- <Possible follow-ups>
- Re: Serv-U 2.5i DoS John (Mar 06)
- Just a Notice: AudioFind.Com (Defaced=Exploit) Lennard-Peter Abdun-Noor Sutherland (Mar 06)