[NT] Pablo FTP Server DoS Vulnerability (%n)
From: support@securiteam.comDate: 11/05/02
- Previous message: support@securiteam.com: "[NEWS] ION-P Allows Remote File Retrieving"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 5 Nov 2002 11:56:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Pablo FTP Server DoS Vulnerability (%n)
------------------------------------------------------------------------
SUMMARY
<http://www.pablovandermeer.nl/ftp_server.html> Pablo Software Solutions'
FTP Server is a multi-threaded FTP server for Windows 98, NT 4.0, 2000 and
XP. A vulnerability in the product allows remote attackers to cause the
program to crash.
DETAILS
Vulnerable systems:
* Pablo FTP Server versions 1.3 and 1.5 and prior versions
Because of its incorrect handling of format string markers in
user-provided input, the FTP Server can be remotely crashed if it attempts
to process such malformed input; code execution is also a possibility. The
denial of service condition is exploited by attempting to login to the
target FTP server as '%n'.
Analysis:
Successful exploitation should crash the FTP server. What is most damaging
about this is that the files and resources readily made available by the
server's proper functionality are inaccessible for the duration that the
server is attacked. While no exploit currently exists, it is possible to
execute arbitrary code.
Detection:
Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is
reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP Server
and providing a username of "%x%x%x%x" can determine susceptibility. The
server is vulnerable if an entry such as the following is found in the
produced log files:
[1064] 530 Please login with USER and PASS
[1064] USER f7db018409be31
[1064] 331 Password required for 247db018409be32
The username values that show up in the log files are pulled from memory
(the stack) and should differ from system to system.
Workaround:
Use a filtering proxy server to help mitigate the attack by blocking
requests that contain format string markers.
Vendor fix:
Version 1.51, which fixes the problem, is available at
<http://www.pablovandermeer.nl/ftpserver.zip>
http://www.pablovandermeer.nl/ftpserver.zip.
Disclosure timeline:
10/15/2002 Issue disclosed to iDEFENSE
10/31/2002 Author notified
10/31/2002 iDEFENSE clients notified
11/01/2002 Response received from pablovandermeer@kabelfoon.nl
11/04/2002 Coordinated public disclosure
ADDITIONAL INFORMATION
The original advisory can be downloaded by going to:
<http://www.idefense.com/advisory/11.04.02a.txt>
http://www.idefense.com/advisory/11.04.02a.txt
The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE, the vulnerability was discovered by Texonet.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] ION-P Allows Remote File Retrieving"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
