Potential DOS Vulnerability in WFTPD

From: joetestaat_private
Date: Thu May 03 2001 - 23:37:37 PDT

Next message: Tom Laermans: "Re: Winamp 2.6x / 2.7x buffer overflow"

Previous message: Steven M. Bellovin: "Re: Cisco HSRP Weakness/DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Begin Hush Signed Message from joetestaat_private -----

Potential DOS Vulnerability in WFTPD



    Overview

WFTPD v3.00R5 is an ftp server available from http://www.wftpd.com
and http://www.download.com.  A potential denial-of-service
vulnerability exists which allows a remote attacker to hang the server.



    Details

When a user attempts to change the current directory, the server first
queries the directory, then determines if the operation should be
allowed.  This implementation exposes the server to a DOS attack if
a malicious attacker continuously tries to change the current directory
to the server's floppy drive.
    The following is an illustration of the problem:


> ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-This FTP site is running a copy of WFTPD that is NOT REGISTERED
..
.. <registration nag header is edited out >
..
220 WFTPD 3.0 service (by Texas Imperial Software) ready for new user
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Give me your password, please
Password:
230 Logged in successfully
ftp> cd a:/
501 User is not allowed to change to a:/ - returning to /.
ftp>


    The server correctly denies the action, but queries the A:\ drive
anyway.  A DOS can achieved by repeating the 'cd a:/' command
continuously.  This problem will have varying effects, depending on
your system configuration.
    An exploit written in PERL is available at:
http://hogs.rit.edu/~joet/code/floppy_hell.pl



    Solution

Disable your floppy drive in your system BIOS if your system configuration
is vulnerable.



    Vendor Status

Texas Imperial Software was contacted via <supportat_private> and
<infoat_private> on Wednesday, April 25, 2001.  Alun Jones, the program
author, verified the behavior and plans on releasing a fix in the v3.1
branch.



    - Joe Testa

e-mail:   joetestaat_private
web page: http://hogs.rit.edu/~joet
AIM:      LordSpankatron


----- Begin Hush Signature v1.3 -----
AIvjUxz+1xWYY/jIMUmHSud2wHZWCOIjJq/uVKIg/vz7ZFrfAu3IAgbltZtyKz9Hud03
1dBLyvynqMClThgETOW1Mjv4NLWhBRfg2gi7CpfrUfuyVFD0EeDFTyLScE93sIA+FE/K
XCfZwnIGPgI65ZIUNcUI6+gDikKHGS9qsClUNACHQegBQ18T4ZTkzmmng3/Yes3PJUA+
E0GQb2dOymOgpD9rdW+6wa3Ou2lms/xWXkVt1Ktfw5Lf+k1mnc/qaIU+KDpoZpl0h77E
cq7ZhCKALsF1IIlO/xGOZ6eZrWrdSibQtJaZ8B7HUsv9+j6ltAfEFJbCO0PkHxXWU/5a
PwBo5qc2FogtQ1N5289gWUsKqJHqpt5WKMNcS+PIWAsBlxgxRPO4cuIzGnT/zBcWcDab
8iHF2uo46H4h5NaQoOYCTy0u/E7RACIsyFLr6BsgHINBaA8fywiEheyitb79lRYcd8BJ
7JJtCkbccr30PeBvPC2TzeEdFwqtlVEE3sIx+qQ8IUxo
----- End Hush Signature v1.3 -----


This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools


Free, encrypted, secure Web-based email at www.hushmail.com

Next message: Tom Laermans: "Re: Winamp 2.6x / 2.7x buffer overflow"
Previous message: Steven M. Bellovin: "Re: Cisco HSRP Weakness/DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 03 2001 - 23:38:46 PDT