Multiple win32 servers vulnerable to DoS (OS matter)

From: ByteRage (byterageat_private)
Date: Tue Jul 31 2001 - 07:54:56 PDT

Next message: Seva Gluschenko: "Re: Apache Artificially Long Slash Path Directory ListingVulnera bility -- FILE READ ACCESS"

Previous message: Johnson, Michael: "RE: cold fusion 5.0 cfrethrow exploit"
Next in thread: bjarne bingo: "Re: Multiple win32 servers vulnerable to DoS (OS matter)"
Reply: bjarne bingo: "Re: Multiple win32 servers vulnerable to DoS (OS matter)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Multiple win32 servers vulnerable to DoS (OS matter)

AFFECTED SYSTEMS

Windows 98 (first edition) *with* CON\CON kernel patch
by MicroSoft.
Although this is an OS matter, here are some affected
ftp server programs I have found :

BisonFTP V4R1
Broker FTP Server 5.9.5.0
G6 FTP Server v2.15 (AKA BulletProof FTP Server)
GuildFTPD 0.922
SurgeFTP 2.0f
WarFTPD 1.71
WFTPD 3.00 R5
...

The AUX read bug has already been discussed by
neme-dhc for Xitami webserver & Small http server and
there maybe also other advisories out there, but most
of them seem to regard these bugs as originating from
the server software, which is not the case.

IMMUNE SYSTEMS

ArGoSoft FTP Server 1.2.2.2
Serv-U FTP Server version 3.0
...

DESCRIPTION

On the tested win98 system, when programs accessed the
AUX device for reading, CPU usage increased to 100%,
and in most cases the computer would completely
freeze.

Sometimes server software had filtering to prevent
'downloading' (GET) the AUX device, but
this filtering can easily be circumvented by referring
to the device as AUX. (with a trailing dot, or maybe
appending an extension like AUX.FOO or by randomly
appending dots & spaces (AUX. . .. ... .. .)).

Serv-U FTP version 3.0 & ArGoSoft FTP Server 1.2.2.2
were the only server program that were immune to
attack even with the trickery, so they must be
filtering out devices using API calls, which is a good
idea from a security standpoint.

-=-=-=-

Another issue, which has already been discussed by
3APA3A for win32 archivers, is the accessibility of
devices under win32 platforms. This can also be
demonstrated on FTP server software :

PUT C:\AUTOEXEC.BAT PRN.F00

prints out your autoexec.bat on the remote machine's
printer (mostly you'll need FTP write access) (you
might want to append a Form Feed character (0Ch) to
the file, otherwise some printers won't start)
Sometimes you can also read small bits & pieces of
memory by downloading $MMXXXX0 & EMMXXXX0.

====================================================
[ByteRage] byterageat_private [www.byterage.cjb.net]
====================================================

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Next message: Seva Gluschenko: "Re: Apache Artificially Long Slash Path Directory ListingVulnera bility -- FILE READ ACCESS"
Previous message: Johnson, Michael: "RE: cold fusion 5.0 cfrethrow exploit"
Next in thread: bjarne bingo: "Re: Multiple win32 servers vulnerable to DoS (OS matter)"
Reply: bjarne bingo: "Re: Multiple win32 servers vulnerable to DoS (OS matter)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 09:13:41 PDT