[12974] in bugtraq
Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70
daemon@ATHENA.MIT.EDU (Ussr Labs)
Wed Dec 15 13:36:29 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NCBBKFKDOLAGKIAPMILPAEHHCBAA.labs@ussrback.com>
Date: Wed, 15 Dec 1999 13:03:43 -0300
Reply-To: Ussr Labs <labs@USSRBACK.COM>
From: Ussr Labs <labs@USSRBACK.COM>
X-To: Tim <yardley@uiuc.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.2.1.19991215083255.017f8210@students.uiuc.edu>
yes that is true affect more than war ftp , but no affect many others like
vermillon ftp or serv-u, the d.o.s program, make connections flood, to the
war ftp and the war ftp stop responding, in the moment of program dos is
running and in the moment aftet of the program dos, i test it in our 14
machines of our labs, in some windows systems, win 95, win 98, win nt
WorkStation, win nt server, and in all of this war ftp stop responding. not
like Serv-u, Vermillon ftp, IIS 4.0 , IIS 3.0.
THAT flood affect many Not protected programs.
And yes you need a fast link because each connection send 57 bytes of Random
data.
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
http://www.ussrback.com
-----Original Message-----
From: Tim [mailto:yardley@uiuc.edu]
Sent: Wednesday, December 15, 1999 12:16 PM
To: Ussr Labs
Cc: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70
Vulnerability
Maybe I am missing something, but after looking at the ASM code that ussr
provided, it seems as if they are just doing a standard "connection
flood". I see absolutely nothing significant or specific to WarFTPD
here. The same type of attack would affect any number of FTP servers when
done from a fast enough link. In other words, the good ole' hose + a tiny
fragment of code to actually send a username/pass is all that is needed to
duplicate this.
The only denial of service I see here is a "max connections" problem. This
would be harder to combat if the attack cam from random ip's... but that is
not the case in this instance. So, did I miss something in this case?
/tmy
At 06:41 PM 12/14/1999, Ussr Labs wrote:
>Strange, no body report this problem only you :(, the war ftp deamnon stop
>responding wen reseive lots of incomming connections, the porgram no CRASH
>just only stop responding.
>
>u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
>http://www.ussrback.com
>
>
>
>-----Original Message-----
>From: Malartre [mailto:malartre@videotron.ca]
>Sent: Tuesday, December 14, 1999 8:46 PM
>To: Ussr Labs
>Cc: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70
>Vulnerability
>
>
>Ussr Labs wrote:
> >
> > Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability
>
>I am personnaly not able to reproduce this on my computer. I was using
>the program on the same computer that war-ftpd is.
>
>It's a Pentium 200 with win95b, no firewalls, nothing special.
>
>My cable-modem connection was down during the use of the program, but
>this is because I was flooding myself.
>
>After a minute or two, I closed the program and my connection was back
>and War FTP was ok.
>Thank You
>--
>[Malartre][malartre@videotron.ca]
-- Diving into infinity my consciousness expands in inverse
proportion to my distance from singularity
+-------- ------- ------ ----- ---- --- -- ------ --------+
| Tim Yardley (yardley@uiuc.edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- ------ --------+