RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability

From: [secondmotion]-Matt Thompson (mattat_private)
Date: Wed Nov 06 2002 - 05:47:10 PST

  • Next message: hysterix1at_private: "Re: How to execute programs with parameters in IE - Sandblad advisory #10" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
secondmotion-SM-SA-02-03                            Security Advisory
=====================================================================
Topic: RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability
Announced: 2002-06-11
Updated: 2002-06-11
Tested on: Serv-U FTP 4.0.0.4 and earler
Not affected: Serv-U FTP 4.1
Obsoletes: /
http://www.secondmotion.com
=====================================================================

This advisory is based on trial and error results both locally over
a standard LAN FTP, and remote Internet FTP configurations.  This
vulnerability was reproduced remotely at Cat-Soft with the permission
of Rob Beckers.  This document is subject to change without prior
notice.

The software developers and software vendors were informed of this
vulnerability on 17 September 2002.

If anyone reading this is aware of any further information relating
to this vulnerability, please contact the authors below or report
via BugTraq.


I. Background

	While working on a new security product to detect bugs in
	software, we considered that some FTP servers may work as 
	fast as possible to clear the buffer in Windows sockets. 
	Looking into this further in conjunction with our application
	we realised it may be possible to cause a Denial of Service
	(DoS) against certain FTP server products.

II. Problem Description

	By connecting to the Serv-U FTP server as a anonymous user or
	a local user then its possible to issue MKD commands.
	Looping a MKD command to Serv-U it will cause the application
	to stop accepting connections. Although this may be likened
	to a normal DoS attack by sending mass amounts of data to the server
	this vulnerability can be launched over a 56k connection, and
	therefore should not be categorised as a straight DoS weakness.
	The fault is caused due to Serv-U having no flood protection 
	against commands itself, only hammer attacks. MKD is used as it 
	forces Serv-u to check the user has access to the folder,
	which causes it to stop processing requests.

III. Impact:

	Version 4.04 and earler are affected by this vulnerability.
	Many home users/businesses use Serv-u FTP since it has a simple 
	GUI and also has many easy-to-use features. Using this
vulnerability,
	it is possible to remotely shutdown FTP servers operating this 
	server application.

IV. Solution

	As of November 01, 2002 Rhinosoft/Cat-Soft have release version 4.1
	which is patched against this vulnerability. We recommend all
	users upgrade to Version 4.1 of Serv-U immediately.
	http://www.serv-u.com/download.htm


V. Credits

	mattat_private - Matt Thompson [Proof of Concept]
	paulat_private - Paul Smurthwaite
	Rob Beckers - Cat-Soft [for working with us on this]

VI. Source code

	A Proof of Concept tool can be provided at short notice on request.

=====================================================================
- -ends-


Matt Thompson

- ----
DISCLAIMER & INFORMATION: This e-mail may contain proprietary
information, some or all of which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission
error has misdirected this e-mail, please notify the author by
replying to this e-mail. If you are not the intended recipient you
must NOT use, disclose, distribute, copy, print, or rely on this
e-mail.

Any and all file attachments to this message are scanned at source
for viruses.  This organisation has a strict policy on the
transmission of viruses and will not accept ANY excuse for the
receipt of viruses here, as a result of which, any message found to
contain viruses will be deleted at this mail server WITHOUT being
read.  Persistent offenders will be banned from sending email to this
domain.

All messages sent from this domain and its specific accounts are
digitally signed using our public PGP keys.  This is your guarantee
that the email you have received actually originated from our domain.
 More information on PGP can be found at http://www.pgp.com
- ---- 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPckdXhqqCKK1Qd1fEQJSnwCgrr4Y32lXQCeXo1SbnFR2hsF9TbEAoIwP
p+bGb34fPVVxmpoM4dzvDPvT
=2KxE
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Sat Nov 09 2002 - 12:56:37 PST