Date: Wed, 6 Nov 2002 13:47:10 -0000
From: [secondmotion]-Matt Thompson <[email protected]>
To: [email protected]Subject: RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
secondmotion-SM-SA-02-03 Security Advisory
Topic: RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability
Announced: 2002-06-11
Updated: 2002-06-11
Tested on: Serv-U FTP 4.0.0.4 and earler
Not affected: Serv-U FTP 4.1
Obsoletes: /
http://www.secondmotion.com
This advisory is based on trial and error results both locally over
a standard LAN FTP, and remote Internet FTP configurations. This
vulnerability was reproduced remotely at Cat-Soft with the permission
of Rob Beckers. This document is subject to change without prior
notice.
The software developers and software vendors were informed of this
vulnerability on 17 September 2002.
If anyone reading this is aware of any further information relating
to this vulnerability, please contact the authors below or report
via BugTraq.
I. Background
While working on a new security product to detect bugs in
software, we considered that some FTP servers may work as
fast as possible to clear the buffer in Windows sockets.
Looking into this further in conjunction with our application
we realised it may be possible to cause a Denial of Service
(DoS) against certain FTP server products.
II. Problem Description
By connecting to the Serv-U FTP server as a anonymous user or
a local user then its possible to issue MKD commands.
Looping a MKD command to Serv-U it will cause the application
to stop accepting connections. Although this may be likened
to a normal DoS attack by sending mass amounts of data to the server
this vulnerability can be launched over a 56k connection, and
therefore should not be categorised as a straight DoS weakness.
The fault is caused due to Serv-U having no flood protection
against commands itself, only hammer attacks. MKD is used as it
forces Serv-u to check the user has access to the folder,
which causes it to stop processing requests.
III. Impact:
Version 4.04 and earler are affected by this vulnerability.
Many home users/businesses use Serv-u FTP since it has a simple
GUI and also has many easy-to-use features. Using this
vulnerability,
it is possible to remotely shutdown FTP servers operating this
server application.
IV. Solution
As of November 01, 2002 Rhinosoft/Cat-Soft have release version 4.1
which is patched against this vulnerability. We recommend all
users upgrade to Version 4.1 of Serv-U immediately.
http://www.serv-u.com/download.htm
V. Credits
[email protected] - Matt Thompson [Proof of Concept]
[email protected] - Paul Smurthwaite
Rob Beckers - Cat-Soft [for working with us on this]
VI. Source code
A Proof of Concept tool can be provided at short notice on request.
- -ends-
Matt Thompson
- ----
DISCLAIMER & INFORMATION: This e-mail may contain proprietary
information, some or all of which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission
error has misdirected this e-mail, please notify the author by
replying to this e-mail. If you are not the intended recipient you
must NOT use, disclose, distribute, copy, print, or rely on this
e-mail.
Any and all file attachments to this message are scanned at source
for viruses. This organisation has a strict policy on the
transmission of viruses and will not accept ANY excuse for the
receipt of viruses here, as a result of which, any message found to
contain viruses will be deleted at this mail server WITHOUT being
read. Persistent offenders will be banned from sending email to this
domain.
All messages sent from this domain and its specific accounts are
digitally signed using our public PGP keys. This is your guarantee
that the email you have received actually originated from our domain.
More information on PGP can be found at http://www.pgp.com
- ----
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>;
iQA/AwUBPckdXhqqCKK1Qd1fEQJSnwCgrr4Y32lXQCeXo1SbnFR2hsF9TbEAoIwP
p+bGb34fPVVxmpoM4dzvDPvT
=2KxE
-----END PGP SIGNATURE-----
