From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 11 Apr 2005 16:46:41 +0200
Subject: [NT] SurgeFTP DoS Vulnerability (LEAK Command)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050411135622.EFA72573F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SurgeFTP DoS Vulnerability (LEAK Command)
------------------------------------------------------------------------
SUMMARY
<http://netwinsite.com/surgeftp/>; SurgeFTP is an FTP server with SSL/TLS
security, easy management and cross platform support. It is available for
Windows, Solaris and Linux. A denial-of-service vulnerability was found in
SurgeFTP, which may be exploited to crash the server or to prevent it from
correctly serving files.
A denial of service vulnerability was found in SurgeFTP, which may be
exploited to crash the server or to prevent it from correctly serving
files by using non-standard FTP command: LEAK.
DETAILS
Vulnerable Systems:
* SurgeFTP version 2.2m1
* SurgeFTP version 2.2k3
Immune Systems:
* SurgeFTP version 2.2m2
SurgeFTP responds to a non-standard FTP command: LEAK. It is seems that
this command may have been intended to be used to test the server's
response to file handle leakages.
Upon receiving the LEAK command, SurgeFTP will call the cmd_leak()
function. cmd_leak() will in turn call the mgr_cmd_openmore() function.
mgr_cmd_openmore() will open the file "a.a_write" 925 times, thus
potentially causing the process to run out of file handles.
Debugger Dump:
00431A58 MOV DWORD PTR SS:[EBP-8],0
00431A5F JMP SHORT SurgeFTP.00431A6A
00431A61 MOV EAX,DWORD PTR SS:[EBP-8]
00431A64 ADD EAX,1
00431A67 MOV DWORD PTR SS:[EBP-8],EAX
00431A6A CMP DWORD PTR SS:[EBP-8],39D
00431A71 JGE SHORT SurgeFTP.00431A94
00431A73 PUSH 503
00431A78 PUSH SurgeFTP.00552284
00431A7D PUSH SurgeFTP.005522AC
00431A82 PUSH SurgeFTP.005522B0 ; ASCII "a.a_write"
00431A87 CALL SurgeFTP._dfopen
00431A8C ADD ESP,10
00431A8F MOV DWORD PTR SS:[EBP-4],EAX
00431A92 JMP SHORT SurgeFTP.00431A61
00431A94 MOV EAX,1
Subsequently, the main thread will call the detect_imobilizing_bug()
function. This function will try to open 9 test files. i.e. testfile.0,
testfile.1, ..., testfile.9. If the LEAK command has been issued before,
this function will be unable to open any of the 9 test files. This causes
the following code branch to be taken. The code highlighted in bold will
be executed thus causing a write exception.
00412849 CALL SurgeFTP.__errno
0041284E MOV EDX,DWORD PTR DS:[EAX]
00412850 PUSH EDX
00412851 CALL SurgeFTP._strerror
00412856 ADD ESP,4
00412859 PUSH EAX
0041285A PUSH SurgeFTP.0051BB58 ; ASCII "warning file handles
almost exceeded - time to restart. %s %d"
0041285F CALL SurgeFTP._emsg
00412864 ADD ESP,0C
00412867 CALL SurgeFTP._hcount_report
0041286C CALL SurgeFTP._dfopen_exit
00412871 MOV DWORD PTR DS:0, 0
This LEAK command can be sent prior to authentication. i.e. it can be sent
immediately after connecting to the FTP server. On a Win2K system, this
will cause SurgeFTP to stop receiving any connections until the service is
automatically restarted by the SC Manager. On a WinXP system, SurgeFTP
will continue to accept FTP connections, but will be unable to send or
receive any files. Logging of FTP commands to cmds.log will also fail
until the server is automatically restarted.
Vendor Status:
The vendor has released a new version: 2.2m2 and can be downloaded from
<http://netwinsite.com/surgeftp/>; http://netwinsite.com/surgeftp/.
Disclosure Timeline:
03 Apr 05 - Vulnerability Discovered
05 Apr 05 - Initial Vendor Notification
06 Apr 05 - Vendor Released Fixed Version
07 Apr 05 - Public Release
ADDITIONAL INFORMATION
The information has been provided by <mailto:chewkeong@security.org.sg.>
Chew Keong TAN .
The original article can be found at:
<http://www.security.org.sg/vuln/surgeftp22m1.html>;
http://www.security.org.sg/vuln/surgeftp22m1.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
