Bugtraq mailing list archives
Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70
From: jgaa () JGAA COM (Jarle Aase)
Date: Fri, 17 Dec 1999 04:01:14 +0100
War FTP Daemon 1.70 is beta software, and will be replaced with a new major version early next year. The development on the 1.70 source tree has stopped, and no new versions of 1.7* is planned, - unless some serious security problems are reported. The Remote D.o.S Attack does stall the server. There is however no indication of any buffer-overflow problems or other security-related problems. The attack is logged to the server-log if the default log options are enabled. An attack of this type may look like this in the server log: I 12/17/99 02:19:43 FTPD:test21:0001 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4496->193.91.161.20:21) is connected to the FTP server. I 12/17/99 02:19:43 FTPD:test21:0002 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4497->193.91.161.20:21) is connected to the FTP server. I 12/17/99 02:19:43 FTPD:test21:0003 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4498->193.91.161.20:21) is connected to the FTP server. ... A large number of connections from a single IP address at the same time indicate an attack. If logging of debug messages are enabled, the log will also show something like this: D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command ".blsJw{aP.q" D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command "}DGqDYH" D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command "05(N^ mPӒ¹à Ìáø2Qc|" War FTP Daemon 3.0 will have three levels of protection for this and similar attacks: - 1) Dynamic interaction with firewall software to lock out flooders - 2) Fast accept(); close(); cycles when connections are made too fast - 3) Traffic analysis and temporary lock-outs for hosts that make too many connection attempts (hammering protection). Jarle - Jarle Aase Author of freeware. For support/suggestions: alt.comp.jgaa (newsgroup) For information: info () mail jgaa com(email, auto-responder) Private Email: jgaa () mail jgaa com WWW: http://www.jgaa.com/ <no need to argue - just kill'em all!>
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Ussr Labs Sent: Tuesday, December 14, 1999 7:57 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability PROBLEM UssrLabs found a Local/Remote DoS Attack in War FTP Daemon 1.70 the buffer overflow is caused by a Multiples connections at the same time (over 60) in the ftp server , and some characters in the login name. There is not much to expand on.... just a simple hole For the source / binary of this remote / local D.O.S Go to: http://www.ussrback.com/ Vendor Status: Contacted. Vendor Url: http://www.jgaa.com Program Url: http://www.jgaa.com/warftpd.htm Credit: USSRLABS SOLUTION Nothing yet. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com
Current thread:
- Re: Big problem on 2.0.x?, (continued)
- Re: Big problem on 2.0.x? Jason Mills (Dec 13)
- [patch] Re: Big problem on 2.0.x? Andrea Arcangeli (Dec 14)
- Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Ussr Labs (Dec 13)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Malartre (Dec 14)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Ussr Labs (Dec 14)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Federico - Comnet S.A. (Dec 15)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70Vulnerability ussr secure (Dec 16)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Tim (Dec 15)
- Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Ussr Labs (Dec 15)
- Re: Big problem on 2.0.x? Jason Mills (Dec 13)
- CERT Advisory CA-99-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind Elias Levy (Dec 14)
- Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Jarle Aase (Dec 16)
- Re: sshd1 allows unencrypted sessions regardless of server policy Michael H. Warfield (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Pavel Machek (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Joseph Moran (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy David Schwartz (Dec 15)