Date: Thu, 3 May 2001 22:37:37 -0800
From: [email protected]
To: [email protected]Subject: Potential DOS Vulnerability in WFTPD
--Hushpart_boundary_ePBvUrLYPsdIHqhDKNwlgTRbEAXpcPLR
Content-type: text/plain
----- Begin Hush Signed Message from [email protected] -----
Potential DOS Vulnerability in WFTPD
Overview
WFTPD v3.00R5 is an ftp server available from http://www.wftpd.com
and http://www.download.com. A potential denial-of-service
vulnerability exists which allows a remote attacker to hang the server.
Details
When a user attempts to change the current directory, the server first
queries the directory, then determines if the operation should be
allowed. This implementation exposes the server to a DOS attack if
a malicious attacker continuously tries to change the current directory
to the server's floppy drive.
The following is an illustration of the problem:
> ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-This FTP site is running a copy of WFTPD that is NOT REGISTERED
..
.. <registration nag header is edited out >
..
220 WFTPD 3.0 service (by Texas Imperial Software) ready for new user
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Give me your password, please
Password:
230 Logged in successfully
ftp> cd a:/
501 User is not allowed to change to a:/ - returning to /.
ftp>
The server correctly denies the action, but queries the A:\ drive
anyway. A DOS can achieved by repeating the 'cd a:/' command
continuously. This problem will have varying effects, depending on
your system configuration.
An exploit written in PERL is available at:
http://hogs.rit.edu/~joet/code/floppy_hell.pl
Solution
Disable your floppy drive in your system BIOS if your system configuration
is vulnerable.
Vendor Status
Texas Imperial Software was contacted via <[email protected]> and
<[email protected]> on Wednesday, April 25, 2001. Alun Jones, the program
author, verified the behavior and plans on releasing a fix in the v3.1
branch.
- Joe Testa
e-mail: [email protected]
web page: http://hogs.rit.edu/~joet
AIM: LordSpankatron
----- Begin Hush Signature v1.3 -----
AIvjUxz+1xWYY/jIMUmHSud2wHZWCOIjJq/uVKIg/vz7ZFrfAu3IAgbltZtyKz9Hud03
1dBLyvynqMClThgETOW1Mjv4NLWhBRfg2gi7CpfrUfuyVFD0EeDFTyLScE93sIA+FE/K
XCfZwnIGPgI65ZIUNcUI6+gDikKHGS9qsClUNACHQegBQ18T4ZTkzmmng3/Yes3PJUA+
E0GQb2dOymOgpD9rdW+6wa3Ou2lms/xWXkVt1Ktfw5Lf+k1mnc/qaIU+KDpoZpl0h77E
cq7ZhCKALsF1IIlO/xGOZ6eZrWrdSibQtJaZ8B7HUsv9+j6ltAfEFJbCO0PkHxXWU/5a
PwBo5qc2FogtQ1N5289gWUsKqJHqpt5WKMNcS+PIWAsBlxgxRPO4cuIzGnT/zBcWcDab
8iHF2uo46H4h5NaQoOYCTy0u/E7RACIsyFLr6BsgHINBaA8fywiEheyitb79lRYcd8BJ
7JJtCkbccr30PeBvPC2TzeEdFwqtlVEE3sIx+qQ8IUxo
----- End Hush Signature v1.3 -----
This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_ePBvUrLYPsdIHqhDKNwlgTRbEAXpcPLR--
