lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5.0.2.1.0.20060509093841.00c11550@192.168.200.106>
Date: Tue, 09 May 2006 09:45:20 +0200
From: Andrea Rimicci <arimicci@...taly.com>
To: bugtraq@...urityfocus.com
Subject: Re: INFIGO-2006-05-03: Multiple FTP Servers vulnerabilities


<snip>
 >-[ FileZilla vulnerabilities
 >
 >A few vulnerabilities in FileZilla weren't investigated beyond the crash. 

 >At
 >the moment there is no further information whether those vulnerabilities
 >are
 >exploitable.
 >The first vulnerability is triggered by sending a long PORT or PASS 
command
 >(30
 >bytes) and MLSD command after it. This causes FileZilla to crash (DoS).
 >The second vulnerability found in the FileZilla Server interface also 
leads
 >to
 >the DoS conditions.
 >
<snip>

I tried reproduce given exploit, but no DoS here.
Here is log of a session done against FileZilla server:

(000007) 2006-05-09 09:34:23 - (not logged in) (192.168.200.22)> USER test
(000007) 2006-05-09 09:34:23 - (not logged in) (192.168.200.22)> 331 
Password required for test
(000007) 2006-05-09 09:34:25 - (not logged in) (192.168.200.22)> PASS ****
(000007) 2006-05-09 09:34:25 - test (192.168.200.22)> 230 Logged on
(000007) 2006-05-09 09:34:45 - test (192.168.200.22)> PORT 
123456789012345678901234567890
(000007) 2006-05-09 09:34:45 - test (192.168.200.22)> 501 Syntax error
(000007) 2006-05-09 09:34:49 - test (192.168.200.22)> MLSD
(000007) 2006-05-09 09:34:49 - test (192.168.200.22)> 503 Bad sequence of 
commands.
(000007) 2006-05-09 09:35:05 - test (192.168.200.22)> USER test
(000007) 2006-05-09 09:35:05 - (not logged in) (192.168.200.22)> 331 
Password required for test
(000007) 2006-05-09 09:35:11 - (not logged in) (192.168.200.22)> PASS 
******************************
(000007) 2006-05-09 09:35:11 - (not logged in) (192.168.200.22)> 530 Login 
or password incorrect!
(000007) 2006-05-09 09:35:15 - (not logged in) (192.168.200.22)> MLSD
(000007) 2006-05-09 09:35:15 - (not logged in) (192.168.200.22)> 530 Please 
log in with USER and PASS first.

Please show log of exploit, to be able reproduce ur results.

Please note 2.2.22 is version of FileZila client.
Latest FileZilla server version is 0_9_16c




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ