[ SOURCE: http://www.secureroot.com/security/advisories/9678267303.html ] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open) ---------------------------------------------------------------------------- SUMMARY SunFTP is a small FTP server written in Delphi. This product contains a few vulnerabilities in its socket module. First, it is possible to cause it to overflow its receiving buffer. Second, SunFTP can be crashed remotely by disconnecting the session without sending a complete command. DETAILS Vulnerable systems: SunFTP Build: 9(1) Buffer overflow problem: To test for this vulnerability, connect to the server and send a buffer of 2100 characters. (Cmd: perl -e "print \"GET @{['x'x2100]} HTTP/1.0\n\n\""|nc 127.1 80 The server crashes, and this enables attackers to launch a Denial of Service attack against the product. Half-open DoS: To test for this vulnerability, connect to the server with a non-FTP program (for example, telnet). Now disconnected immediately (or after sending a buffer), but make sure you don't send a newline ('\r\n'). The server will crash almost immediately. Workaround / Solution: Since this is a discontinued project, and the author has not responded to our email, we suggest switching to another FTP Server. Detection: It is possible to detect a vulnerable SunFTP server by looking for the following FTP banner: 220 hostname FTP Server (SunFTP b9) ready on port 21. ADDITIONAL INFORMATION The security hole was discovered by Beyond Security's SecuriTeam (expert@securiteam.com). ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ==================== -- Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com