Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)

From: Aviram Jenik <aviram () BEYONDSECURITY COM>
Date: Fri, 1 Sep 2000 18:13:10 +0200
The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com


SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)
----------------------------------------------------------------------------



SUMMARY

 <http://xs4all.dk/sunftp/> SunFTP is a small FTP server written in
Delphi. This product contains a few vulnerabilities in its socket module.
First, it is possible to cause it to overflow its receiving buffer.
Second, SunFTP can be crashed remotely by disconnecting the session
without sending a complete command.

DETAILS

Vulnerable systems:
SunFTP Build: 9(1)

Buffer overflow problem:
To test for this vulnerability, connect to the server and send a buffer of
2100 characters.

(Cmd: perl -e "print \"GET @{['x'x2100]} HTTP/1.0\n\n\""|nc 127.1 80

The server crashes, and this enables attackers to launch a Denial of
Service attack against the product.

Half-open DoS:
To test for this vulnerability, connect to the server with a non-FTP
program (for example, telnet). Now disconnected immediately (or after
sending a buffer), but make sure you don't send a newline ('\r\n'). The
server will crash almost immediately.

Workaround / Solution:
Since this is a discontinued project, and the author has not responded to
our email, we suggest switching to another FTP Server.

Detection:
It is possible to detect a vulnerable SunFTP server by looking for the
following FTP banner:
220 hostname FTP Server (SunFTP b9) ready on port 21.


ADDITIONAL INFORMATION

The security hole was discovered by Beyond Security's SecuriTeam
(expert () securiteam com).


====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
====================



--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
Previous By Date Next
Previous By Thread Next

Current thread: