OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [EXPL] SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)
From: Aviram Jenik (aviramBEYONDSECURITY.COM)
Date: Fri Sep 01 2000 - 11:13:10 CDT


The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com

SunFTP vulnerable to two Denial-of-Service attacks (long buffer, half-open)
----------------------------------------------------------------------------

SUMMARY

 <http://xs4all.dk/sunftp/> SunFTP is a small FTP server written in
Delphi. This product contains a few vulnerabilities in its socket module.
First, it is possible to cause it to overflow its receiving buffer.
Second, SunFTP can be crashed remotely by disconnecting the session
without sending a complete command.

DETAILS

Vulnerable systems:
SunFTP Build: 9(1)

Buffer overflow problem:
To test for this vulnerability, connect to the server and send a buffer of
2100 characters.

(Cmd: perl -e "print \"GET {['x'x2100]} HTTP/1.0\n\n\""|nc 127.1 80

The server crashes, and this enables attackers to launch a Denial of
Service attack against the product.

Half-open DoS:
To test for this vulnerability, connect to the server with a non-FTP
program (for example, telnet). Now disconnected immediately (or after
sending a buffer), but make sure you don't send a newline ('\r\n'). The
server will crash almost immediately.

Workaround / Solution:
Since this is a discontinued project, and the author has not responded to
our email, we suggest switching to another FTP Server.

Detection:
It is possible to detect a vulnerable SunFTP server by looking for the
following FTP banner:
220 hostname FTP Server (SunFTP b9) ready on port 21.

ADDITIONAL INFORMATION

The security hole was discovered by Beyond Security's SecuriTeam
(expertsecuriteam.com).

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
====================

--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com