[NT] Multiple WFTPD DoS Vulnerabilities (XeroxDocutech)

• Previous message: SecuriTeam: "[NEWS] Format String Vulnerability in EpicGames Unreal Engine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 10 Mar 2004 19:15:17 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Multiple WFTPD DoS Vulnerabilities (XeroxDocutech)
------------------------------------------------------------------------

SUMMARY

" <http://www.wftpd.com/> WFTPD Server has been a leading FTP server for
Windows since it was released in 1993. ? Its stability and security have
long been relied on by technology companies, educational institutions,
government departments, individuals and others, to provide a secure FTP
site."

Due to a problem in handling large FTP commands, an attacker is able to
cause the server to allocate arbitrary amounts of memory thereby forcing
the WFTPD process to use 100% CPU resources. Another vulnerability allows
an attacker to crash the WFTPD server using a specially crafted string.

DETAILS

Vulnerable Systems:
 * WFTPD Pro Server version 3.21 Release 1 (trial) (latest version)

Immune Systems:
 * WFTPD Pro Server version 3.21 Release 2 or newer

WFTPD allocates space for a 512 bytes FTP command, not including the
terminating NULL character. However, when the buffer allocated is too
small to contain one FTP command, the server will increase the buffer's
size by another 512 bytes. If no newline character is sent to the server
it will increase the buffer's size indefinitely which will eventually
cause the server to run out of memory.

Since the server uses a secondary buffer in order to perform the copying
from the old buffer, an attacker needs to hog around half of the available
physical memory on the system. Less than 31 (log2(MaxAvailProgMem <= 2GB))
clients are needed in order to fully perform a DoS on the server. The
first has to allocate MaxAvailProgMem^1, the second MaxAvailProgMem^2 and
so on.

However, this would take a lot of time due to the 100% CPU utilization. To
speed this up, the first byte sent to the server should be 00h. That way
instead of scanning through a very large buffer for the newlines, the
server would only look at the null terminating character (although space
is still being allocated because no newline has been found) each time more
data is received.

Yet an alternate method is to first send a very large buffer with no
newline and then continue sending small buffers with no newlines. Then,
whenever new data arrives the whole buffer is scanned for a newline which
would produce the desired DoS. Sending a buffer full of non-legitimate
ASCII characters (with their MSB set, 80h) would cause the server to scan
the buffer twice when data arrives which would slow it even more.

Finally, another vulnerability can lead to crashing of WFTPD. A remote
attacker who has logged in as a user with XeroxDocutech option set to 1
("Servers\ <ftpname>\ Users\ <username>\ XeroxDocutech" :DWORD :1) can
overflow a string on the stack causing the cookie to be overwritten by a
00h byte which will then terminate WFTPD. In order to trigger the
vulnerability, the user must send the MKD or XMKD FTP commands specifying
an argument such that the absolute path length when concatenating the
absolute path of the current directory with the argument is exactly 260
characters.

ADDITIONAL INFORMATION

The information has been provided by <mailto:rdxaxl@hotmail.com> axl
rose.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Format String Vulnerability in EpicGames Unreal Engine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]