OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Fri May 04 2001 - 01:37:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Potential DOS Vulnerability in WFTPD

        Overview

    WFTPD v3.00R5 is an ftp server available from http://www.wftpd.com
    and http://www.download.com. A potential denial-of-service
    vulnerability exists which allows a remote attacker to hang the server.

        Details

    When a user attempts to change the current directory, the server first
    queries the directory, then determines if the operation should be
    allowed. This implementation exposes the server to a DOS attack if
    a malicious attacker continuously tries to change the current directory
    to the server's floppy drive.
        The following is an illustration of the problem:

    > ftp localhost
    Connected to xxxxxxxxxx.rh.rit.edu.
    220-This FTP site is running a copy of WFTPD that is NOT REGISTERED
    ..
    .. <registration nag header is edited out >
    ..
    220 WFTPD 3.0 service (by Texas Imperial Software) ready for new user
    User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
    331 Give me your password, please
    Password:
    230 Logged in successfully
    ftp> cd a:/
    501 User is not allowed to change to a:/ - returning to /.
    ftp>

        The server correctly denies the action, but queries the A:\ drive
    anyway. A DOS can achieved by repeating the 'cd a:/' command
    continuously. This problem will have varying effects, depending on
    your system configuration.
        An exploit written in PERL is available at:
    http://hogs.rit.edu/~joet/code/floppy_hell.pl

        Solution

    Disable your floppy drive in your system BIOS if your system configuration
    is vulnerable.

        Vendor Status

    Texas Imperial Software was contacted via <supporttexis.com> and
    <infotexis.com> on Wednesday, April 25, 2001. Alun Jones, the program
    author, verified the behavior and plans on releasing a fix in the v3.1
    branch.

        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet
    AIM: LordSpankatron

    ----- Begin Hush Signature v1.3 -----
    AIvjUxz+1xWYY/jIMUmHSud2wHZWCOIjJq/uVKIg/vz7ZFrfAu3IAgbltZtyKz9Hud03
    1dBLyvynqMClThgETOW1Mjv4NLWhBRfg2gi7CpfrUfuyVFD0EeDFTyLScE93sIA+FE/K
    XCfZwnIGPgI65ZIUNcUI6+gDikKHGS9qsClUNACHQegBQ18T4ZTkzmmng3/Yes3PJUA+
    E0GQb2dOymOgpD9rdW+6wa3Ou2lms/xWXkVt1Ktfw5Lf+k1mnc/qaIU+KDpoZpl0h77E
    cq7ZhCKALsF1IIlO/xGOZ6eZrWrdSibQtJaZ8B7HUsv9+j6ltAfEFJbCO0PkHxXWU/5a
    PwBo5qc2FogtQ1N5289gWUsKqJHqpt5WKMNcS+PIWAsBlxgxRPO4cuIzGnT/zBcWcDab
    8iHF2uo46H4h5NaQoOYCTy0u/E7RACIsyFLr6BsgHINBaA8fywiEheyitb79lRYcd8BJ
    7JJtCkbccr30PeBvPC2TzeEdFwqtlVEE3sIx+qQ8IUxo
    ----- End Hush Signature v1.3 -----

    This message has been signed with a Hush Digital Signature.
    To verify the signature, please go to www.hush.com/tools

    Free, encrypted, secure Web-based email at www.hushmail.com