lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070712050911.8827A22822@mailserver9.hushmail.com>
Date: Thu, 12 Jul 2007 01:09:11 -0400
From: "Joey Mengele" <joey.mengele@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>,<demottja@....edu>
Subject: Re: IPSwitch WS_FTP Logging Server Remote Denial
	of Service -- a VDA Labs, LLC discovery

I will be sure to patch for this serious exploit vulnerability 
proof of concept code hack so that my machines cannot be cracked.

J

On Thu, 12 Jul 2007 00:15:32 -0400 Jared DeMott <demottja@....edu> 
wrote:
>IPSwitch WS_FTP Logging Server Remote Denial of Service
>------------------------------------------------
>Version: 7.5.29.0 (Logsrv.exe)
>
>Overview
>--------
>The WS FTP logging server is a daemon that listens on UDP port 
>5151 and
>is shipped with WS FTP and by default is turned on and used by the 
>local
>WS FTP instance. It binds to the public IP address of the server 
>and is
>accessible externally, in part so that other WS FTP machines are 
>able to
>use it as a logging interface.
>
>Description of Crash
>--------------------
>WS FTP uses a binary protocol to speak to the logging daemon, and 
>each
>transmission begins with a two byte header "0xab 0xaa". If using a 
>long
>string of characters to mangle the remaining portions of the 
>message, a
>pointer operation fails at:
>0x00401769
>
>cmp     word ptr [ecx], 0AAADh
>jnz     short loc_401787
>
>This crashes the process. By flipping two bytes immediately after 
>the
>two primary header bytes, you are also able to control where the
>dereferencing address is at the time of the crash. However, this 
>does
>not appear to allow code execution on the remote host as the 
>address
>referenced is too far away from any user supplied input.
>
>Discovered By
>----------------
>Justin Seitz of VDA Labs LLC (jseitz@...labs.com)
>
>
>Full advisory and attack code location:
>----------------------------------------
>http://www.vdalabs.com/resources
>http://www.vdalabs.com/tools/ipswitch.html
>
>ipswitchlogsrv-killer.py - Change the IP and PORT numbers as 
>necessary
>at the top of the file. There are two bytes that lead to different
>address offsets where the pointer dereference is attempted.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click to lower your debt and consolidate your monthly expenses
http://tagline.hushmail.com/fc/Ioyw6h4d716878MGXyA105YJMeLioAE5OXJBN3lPtxoU6pi90kPhcE/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ