Multiple WFTPD Denial of Service vulnerabilities

• Previous message: Gadi Evron: "laptop security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Date: Sat, 28 Feb 2004 21:49:59 +0000

Name of Advisory: Multiple WFTPD Denial of Service vulnerabilities
Severity: Low
Discoverer: axl (rdxaxl@hotmail.com)
Released: Today
Vendor Notified: Today

WFTPD who? what? when?
~~~~~~~~~~~~~~~~~~~~~~
Vendor quote: "WFTPD Server has been a leading FTP server for Windows since
it was released in 1993. Its stability and security have long been relied
on by technology companies, educational institutions, government
departments, individuals and others, to provide a secure FTP site."

Tested versions
~~~~~~~~~~~~~~~
- WFTPD Pro Server 3.21 Release 1 (trial) (latest version)

All tested versions are vulnerable. Other versions may also be vulnerable.

Overview
~~~~~~~~
A remote attacker can allocate arbitrary amounts of memory on the vulnerable
system, and force the WFTPD server process to use 100% of the CPU. Another
DoS vulnerability allows an attacker to send a special string to crash
WFTPD.

Vulnerability details
~~~~~~~~~~~~~~~~~~~~~
The FTP command buffer is default 512 bytes (513 bytes with the terminating
null byte). Whenever the buffer is too small for one FTP command line, WFTPD
will increase the size of the buffer by 512 bytes. If a remote user sends
any bytes other than 0Ah to the server, and never sends a 0Ah byte, the
WFTPD server will allocate more and more memory. It will eventually fail
when it has allocated MaxAvailProgMem/2 bytes (because it needs a new and an
old buffer to copy the old buffer, of approximately the same size, to the
new buffer.)

To allocate all memory on the system, a remote attacker can connect less
than 31 (log2(MaxAvailProgMem <= 2GB)) clients to the FTP. The first
connected client can allocate MaxAvailProgMem/2^1 bytes, the 2nd client can
allocate MaxAvailProgMem/2^2 bytes, and so on. This however, takes a lot of
time mostly because of the 100% CPU utilization. To speed this process up,
the first byte sent to the server should be byte 00h. That way, WFTPD will
only check for 0Ah bytes in a null string which is considerably faster than
scanning a 200MB buffer for a 0Ah byte each time a packet is received.

A variant of the above vulnerability to cause 100% CPU utilization is to
send it a large enough buffer with no 0Ah or 00h bytes, and then
continuously send it small packets with no 0Ah/00h bytes. It will scan
through the whole big buffer each time it receives data looking for a 0Ah
byte, which takes a lot of time. To make it twice as slow only send bytes >=
80h. This will make it scan the buffer twice each time it receives a packet.

Finally, (for WFTPD Pro Server 3.21) a remote attacker who has logged in as
a user with XeroxDocutech option set to 1 ("Servers\ <ftpname>\ Users\
<username>\ XeroxDocutech" :DWORD :1) can overflow a string on the stack
causing the cookie to be overwritten by a 00h byte which will then terminate
WFTPD. The probability for it to succeed is 255/256 = 99.6%. To exploit
this, the attacker must send a MKD or XMKD FTP command to the server,
specifying an argument big enough so that the absolute path when
concatenating the absolute path of current directory with the argument is
exactly 260 characters. Example, if absolute path of current working dir is
"C:\ffttpp1\" (11 chars), the attacker would have to send a MKD/XMKD
argument of length 260-11 = 249 characters. The string used to get the
absolute path of the new directory is 261 characters long (264 if you count
the unused bytes). The vulnerable code is strcat(dst, ".djo"), which when
strlen(dst) = 260, overflows the string and overwrites the first byte of the
cookie with a 00h byte.

Exploit
~~~~~~~
This is so easy to code yourself that I'll let you do it...

_________________________________________________________________
Get fast, reliable access with MSN 9 Dial-up. Click here for Special Offer!
http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/

• Previous message: Gadi Evron: "laptop security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]