Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: David Endler (dendler_at_idefense.com)
Date: Sun Nov 03 2002 - 23:43:58 CST
-----BEGIN PGP SIGNED MESSAGE-----
iDEFENSE Security Advisory 11.04.02a:
Pablo FTP Server DoS Vulnerability
November 4, 2002
Pablo Software Solutions' FTP Server is a multi-threaded FTP server
for Windows 98, NT 4.0, 2000 and XP. More information about it is
available at http://www.pablovandermeer.nl/ftp_server.html.
Because of its incorrect handling of format string markers in
user-provided input, the FTP Server can be remotely crashed if it
attempts to process such malformed input; code execution is also a
possibility. The denial of service condition is exploited by
attempting to login to the target FTP server as '%n'.
Successful exploitation should crash the FTP server. What is most
damaging about this is that the files and resources readily made
available by the server's proper functionality are inaccessible for
the duration that the server is attacked. While no exploit currently
exists, it is possible to execute arbitrary code.
Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is
reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP
Server and providing a username of "%x%x%x%x" can determine
susceptibility. The server is vulnerable if an entry such as the
following is found in the produced log files:
 530 Please login with USER and PASS
 USER f7db018409be31
 331 Password required for 247db018409be32
The username values that show up in the log files are pulled from
memory (the stack) and should differ from system to system.
Use a filtering proxy server to help mitigate the attack by blocking
requests that contain format string markers.
VI. VENDOR FIX
Version 1.51, which fixes the problem, is available at
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1244 to this issue.
VIII. DISCLOSURE TIMELINE
10/15/2002 Issue disclosed to iDEFENSE
10/31/2002 Author notified
10/31/2002 iDEFENSE clients notified
11/01/2002 Response received from pablovandermeerkabelfoon.nl
11/04/2002 Coordinated public disclosure
Texonet (http://www.texonet.com) discovered this vulnerability.
Get paid for security research
Subscribe to iDEFENSE Advisories:
send email to listservidefense.com, subject line: "subscribe"
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
David Endler, CISSP
Director, Technical Intelligence
14151 Newbrook Drive
Chantilly, VA 20151
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
-----END PGP SIGNATURE-----