[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)

Title: SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)
Released by: SecuriTeam
Date: 1st September 2000
Printable version: Click here
SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)

----------------------------------------------------------------------------







SUMMARY



 <http://xs4all.dk/sunftp/> SunFTP is a small FTP server written in

Delphi. This product contains a few vulnerabilities in its socket module.

First, it is possible to cause it to overflow its receiving buffer.

Second, SunFTP can be crashed remotely by disconnecting the session

without sending a complete command.



DETAILS



Vulnerable systems:

SunFTP Build: 9(1)



Buffer overflow problem:

To test for this vulnerability, connect to the server and send a buffer of

2100 characters.



(Cmd: perl -e "print \"GET @{['x'x2100]} HTTP/1.0\n\n\""|nc 127.1 80



The server crashes, and this enables attackers to launch a Denial of

Service attack against the product.



Half-open DoS:

To test for this vulnerability, connect to the server with a non-FTP

program (for example, telnet). Now disconnected immediately (or after

sending a buffer), but make sure you don't send a newline ('\r\n'). The

server will crash almost immediately.



Workaround / Solution:

Since this is a discontinued project, and the author has not responded to

our email, we suggest switching to another FTP Server.



Detection:

It is possible to detect a vulnerable SunFTP server by looking for the

following FTP banner:

220 hostname FTP Server (SunFTP b9) ready on port 21.





ADDITIONAL INFORMATION



The security hole was discovered by Beyond Security's SecuriTeam

(expert@securiteam.com).





====================



DISCLAIMER:

The information in this bulletin is provided "AS IS" without warranty of any

kind.

In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special

damages.

====================







--

Aviram Jenik

Beyond Security Ltd.

http://www.BeyondSecurity.com

http://www.SecuriTeam.com








(C) 1999-2000 All rights reserved.