[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080204223149.fcce4c63.aluigi@autistici.org>
Date: Mon, 4 Feb 2008 22:31:49 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
packet@...ketstormsecurity.org
Subject: Socket termination in FTP Log Server 7.9.14.0
#######################################################################
Luigi Auriemma
Application: FTP Log Server
http://www.wsftp.com
Versions: <= 7.9.14.0
Platforms: Windows
Bug: socket termination
Exploitation: remote
Date: 04 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
FTP Log Server is a daemon installed and running with Ipswitch WS_FTP
which works on the UDP port 5151 and is used for all the logging
operations of this FTP server.
#######################################################################
======
2) Bug
======
Sending more than 20 packets of a size major than 4096 bytes (the
maximum size of a packet which can be received by the server) within
less than one second between them causes the silent termination of the
listening socket (offset 004013FD), so the process of the daemon will
continue to be active but it will no longer handle the log commands of
the FTP or any other server which supports it.
Although the daemon binds all the interfaces (and I doubt an admin
leaves the UDP port 5151 accessible from Internet, moreover to avoid
custom entries in the XML logs) the main scenario of a possible
exploiting of this vulnerability is in a LAN environment for example
used for disabling the logging service and starting a brute forcing
attack versus the machine on which is running the FTP server and so on.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
udpsz -l 100 SERVER 5151 4097
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists