yes that is true affect more than war ftp , but no affect many others like vermillon ftp or serv-u, the d.o.s program, make connections flood, to the war ftp and the war ftp stop responding, in the moment of program dos is running and in the moment aftet of the program dos, i test it in our 14 machines of our labs, in some windows systems, win 95, win 98, win nt WorkStation, win nt server, and in all of this war ftp stop responding. not like Serv-u, Vermillon ftp, IIS 4.0 , IIS 3.0. THAT flood affect many Not protected programs. And yes you need a fast link because each connection send 57 bytes of Random data. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----Original Message----- From: Tim [mailto:yardleyat_private] Sent: Wednesday, December 15, 1999 12:16 PM To: Ussr Labs Cc: BUGTRAQat_private Subject: Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Maybe I am missing something, but after looking at the ASM code that ussr provided, it seems as if they are just doing a standard "connection flood". I see absolutely nothing significant or specific to WarFTPD here. The same type of attack would affect any number of FTP servers when done from a fast enough link. In other words, the good ole' hose + a tiny fragment of code to actually send a username/pass is all that is needed to duplicate this. The only denial of service I see here is a "max connections" problem. This would be harder to combat if the attack cam from random ip's... but that is not the case in this instance. So, did I miss something in this case? /tmy At 06:41 PM 12/14/1999, Ussr Labs wrote: >Strange, no body report this problem only you :(, the war ftp deamnon stop >responding wen reseive lots of incomming connections, the porgram no CRASH >just only stop responding. > >u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h >http://www.ussrback.com > > > >-----Original Message----- >From: Malartre [mailto:malartreat_private] >Sent: Tuesday, December 14, 1999 8:46 PM >To: Ussr Labs >Cc: BUGTRAQat_private >Subject: Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 >Vulnerability > > >Ussr Labs wrote: > > > > Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability > >I am personnaly not able to reproduce this on my computer. I was using >the program on the same computer that war-ftpd is. > >It's a Pentium 200 with win95b, no firewalls, nothing special. > >My cable-modem connection was down during the use of the program, but >this is because I was flooding myself. > >After a minute or two, I closed the program and my connection was back >and War FTP was ok. >Thank You >-- >[Malartre][malartreat_private] -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- ------ --------+ | Tim Yardley (yardleyat_private) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- ------ --------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:09 PDT