lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080204223149.fcce4c63.aluigi@autistici.org>
Date: Mon, 4 Feb 2008 22:31:49 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Socket termination in FTP Log Server 7.9.14.0


#######################################################################

                             Luigi Auriemma

Application:  FTP Log Server
              http://www.wsftp.com
Versions:     <= 7.9.14.0
Platforms:    Windows
Bug:          socket termination
Exploitation: remote
Date:         04 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


FTP Log Server is a daemon installed and running with Ipswitch WS_FTP
which works on the UDP port 5151 and is used for all the logging
operations of this FTP server.


#######################################################################

======
2) Bug
======


Sending more than 20 packets of a size major than 4096 bytes (the
maximum size of a packet which can be received by the server) within
less than one second between them causes the silent termination of the
listening socket (offset 004013FD), so the process of the daemon will
continue to be active but it will no longer handle the log commands of
the FTP or any other server which supports it.

Although the daemon binds all the interfaces (and I doubt an admin
leaves the UDP port 5151 accessible from Internet, moreover to avoid
custom entries in the XML logs) the main scenario of a possible
exploiting of this vulnerability is in a LAN environment for example
used for disabling the logging service and starting a brute forcing
attack versus the machine on which is running the FTP server and so on.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

  udpsz -l 100 SERVER 5151 4097


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ