----- Begin Hush Signed Message from joetestaat_private ----- Potential DOS Vulnerability in WFTPD Overview WFTPD v3.00R5 is an ftp server available from http://www.wftpd.com and http://www.download.com. A potential denial-of-service vulnerability exists which allows a remote attacker to hang the server. Details When a user attempts to change the current directory, the server first queries the directory, then determines if the operation should be allowed. This implementation exposes the server to a DOS attack if a malicious attacker continuously tries to change the current directory to the server's floppy drive. The following is an illustration of the problem: > ftp localhost Connected to xxxxxxxxxx.rh.rit.edu. 220-This FTP site is running a copy of WFTPD that is NOT REGISTERED .. .. <registration nag header is edited out > .. 220 WFTPD 3.0 service (by Texas Imperial Software) ready for new user User (xxxxxxxxxx.rh.rit.edu:(none)): jdog 331 Give me your password, please Password: 230 Logged in successfully ftp> cd a:/ 501 User is not allowed to change to a:/ - returning to /. ftp> The server correctly denies the action, but queries the A:\ drive anyway. A DOS can achieved by repeating the 'cd a:/' command continuously. This problem will have varying effects, depending on your system configuration. An exploit written in PERL is available at: http://hogs.rit.edu/~joet/code/floppy_hell.pl Solution Disable your floppy drive in your system BIOS if your system configuration is vulnerable. Vendor Status Texas Imperial Software was contacted via <supportat_private> and <infoat_private> on Wednesday, April 25, 2001. Alun Jones, the program author, verified the behavior and plans on releasing a fix in the v3.1 branch. - Joe Testa e-mail: joetestaat_private web page: http://hogs.rit.edu/~joet AIM: LordSpankatron ----- Begin Hush Signature v1.3 ----- AIvjUxz+1xWYY/jIMUmHSud2wHZWCOIjJq/uVKIg/vz7ZFrfAu3IAgbltZtyKz9Hud03 1dBLyvynqMClThgETOW1Mjv4NLWhBRfg2gi7CpfrUfuyVFD0EeDFTyLScE93sIA+FE/K XCfZwnIGPgI65ZIUNcUI6+gDikKHGS9qsClUNACHQegBQ18T4ZTkzmmng3/Yes3PJUA+ E0GQb2dOymOgpD9rdW+6wa3Ou2lms/xWXkVt1Ktfw5Lf+k1mnc/qaIU+KDpoZpl0h77E cq7ZhCKALsF1IIlO/xGOZ6eZrWrdSibQtJaZ8B7HUsv9+j6ltAfEFJbCO0PkHxXWU/5a PwBo5qc2FogtQ1N5289gWUsKqJHqpt5WKMNcS+PIWAsBlxgxRPO4cuIzGnT/zBcWcDab 8iHF2uo46H4h5NaQoOYCTy0u/E7RACIsyFLr6BsgHINBaA8fywiEheyitb79lRYcd8BJ 7JJtCkbccr30PeBvPC2TzeEdFwqtlVEE3sIx+qQ8IUxo ----- End Hush Signature v1.3 ----- This message has been signed with a Hush Digital Signature. To verify the signature, please go to www.hush.com/tools Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 23:38:46 PDT