SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)

----------------------------------------------------------------------------







SUMMARY



 <http://xs4all.dk/sunftp/> SunFTP is a small FTP server written in

Delphi. This product contains a few vulnerabilities in its socket module.

First, it is possible to cause it to overflow its receiving buffer.

Second, SunFTP can be crashed remotely by disconnecting the session

without sending a complete command.



DETAILS



Vulnerable systems:

SunFTP Build: 9(1)



Buffer overflow problem:

To test for this vulnerability, connect to the server and send a buffer of

2100 characters.



(Cmd: perl -e "print \"GET @{['x'x2100]} HTTP/1.0\n\n\""|nc 127.1 80



The server crashes, and this enables attackers to launch a Denial of

Service attack against the product.



Half-open DoS:

To test for this vulnerability, connect to the server with a non-FTP

program (for example, telnet). Now disconnected immediately (or after

sending a buffer), but make sure you don't send a newline ('\r\n'). The

server will crash almost immediately.



Workaround / Solution:

Since this is a discontinued project, and the author has not responded to

our email, we suggest switching to another FTP Server.



Detection:

It is possible to detect a vulnerable SunFTP server by looking for the

following FTP banner:

220 hostname FTP Server (SunFTP b9) ready on port 21.





ADDITIONAL INFORMATION



The security hole was discovered by Beyond Security's SecuriTeam

(expert@securiteam.com).





====================



DISCLAIMER:

The information in this bulletin is provided "AS IS" without warranty of any

kind.

In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special

damages.

====================







--

Aviram Jenik

Beyond Security Ltd.

http://www.BeyondSecurity.com

http://www.SecuriTeam.com