lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 12 Jul 2007 00:15:32 -0400
From: Jared DeMott <demottja@....edu>
To: full-disclosure@...ts.grok.org.uk
Subject: IPSwitch WS_FTP Logging Server Remote Denial of
 Service -- a VDA Labs, LLC discovery

IPSwitch WS_FTP Logging Server Remote Denial of Service
------------------------------------------------
Version: 7.5.29.0 (Logsrv.exe)

Overview
--------
The WS FTP logging server is a daemon that listens on UDP port 5151 and
is shipped with WS FTP and by default is turned on and used by the local
WS FTP instance. It binds to the public IP address of the server and is
accessible externally, in part so that other WS FTP machines are able to
use it as a logging interface.

Description of Crash
--------------------
WS FTP uses a binary protocol to speak to the logging daemon, and each
transmission begins with a two byte header "0xab 0xaa". If using a long
string of characters to mangle the remaining portions of the message, a
pointer operation fails at:
0x00401769

cmp     word ptr [ecx], 0AAADh
jnz     short loc_401787

This crashes the process. By flipping two bytes immediately after the
two primary header bytes, you are also able to control where the
dereferencing address is at the time of the crash. However, this does
not appear to allow code execution on the remote host as the address
referenced is too far away from any user supplied input.

Discovered By
----------------
Justin Seitz of VDA Labs LLC (jseitz@...labs.com)


Full advisory and attack code location:
----------------------------------------
http://www.vdalabs.com/resources
http://www.vdalabs.com/tools/ipswitch.html

ipswitchlogsrv-killer.py - Change the IP and PORT numbers as necessary
at the top of the file. There are two bytes that lead to different
address offsets where the pointer dereference is attempted.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ