OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Sun Nov 03 2002 - 23:43:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 11.04.02a:
    http://www.idefense.com/advisory/11.04.02a.txt
    Pablo FTP Server DoS Vulnerability
    November 4, 2002

    I. BACKGROUND

    Pablo Software Solutions' FTP Server is a multi-threaded FTP server
    for Windows 98, NT 4.0, 2000 and XP. More information about it is
    available at http://www.pablovandermeer.nl/ftp_server.html.

    II. DESCRIPTION

    Because of its incorrect handling of format string markers in
    user-provided input, the FTP Server can be remotely crashed if it
    attempts to process such malformed input; code execution is also a
    possibility. The denial of service condition is exploited by
    attempting to login to the target FTP server as '%n'.

    III. ANALYSIS

    Successful exploitation should crash the FTP server. What is most
    damaging about this is that the files and resources readily made
    available by the server's proper functionality are inaccessible for
    the duration that the server is attacked. While no exploit currently
    exists, it is possible to execute arbitrary code.

    IV. DETECTION

    Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is
    reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP
    Server and providing a username of "%x%x%x%x" can determine
    susceptibility. The server is vulnerable if an entry such as the
    following is found in the produced log files:

    [1064] 530 Please login with USER and PASS
    [1064] USER f7db018409be31
    [1064] 331 Password required for 247db018409be32

    The username values that show up in the log files are pulled from
    memory (the stack) and should differ from system to system.

    V. WORKAROUND

    Use a filtering proxy server to help mitigate the attack by blocking
    requests that contain format string markers.

    VI. VENDOR FIX

    Version 1.51, which fixes the problem, is available at
    http://www.pablovandermeer.nl/ftpserver.zip.

    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1244 to this issue.

    VIII. DISCLOSURE TIMELINE

    10/15/2002 Issue disclosed to iDEFENSE
    10/31/2002 Author notified
    10/31/2002 iDEFENSE clients notified
    11/01/2002 Response received from pablovandermeerkabelfoon.nl
    11/04/2002 Coordinated public disclosure

    IX. CREDIT

    Texonet (http://www.texonet.com) discovered this vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPcYIW0rdNYRLCswqEQINEACguhUQdfsZMdi1ghixV8EzWztab7cAoPXf
    /vGQAyMHjmc1fXCz9Kb8zHi5
    =ATmX
    -----END PGP SIGNATURE-----