[13006] in bugtraq
Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70
daemon@ATHENA.MIT.EDU (Jarle Aase)
Fri Dec 17 12:08:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <NCBBIJAIBDGCMNAHBHJPGEKKFEAA.jgaa@jgaa.com>
Date: Fri, 17 Dec 1999 04:01:14 +0100
Reply-To: Jarle Aase <jgaa@JGAA.COM>
From: Jarle Aase <jgaa@JGAA.COM>
X-To: Ussr Labs <labs@USSRBACK.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NCBBKFKDOLAGKIAPMILPGEGGCBAA.labs@ussrback.com>
Content-Transfer-Encoding: 8bit
War FTP Daemon 1.70 is beta software, and will be replaced with a new major version early next year. The development on the 1.70 source tree has stopped, and no new versions of 1.7* is planned, - unless some serious security problems are reported.
The Remote D.o.S Attack does stall the server. There is however no indication of any buffer-overflow problems or other security-related problems.
The attack is logged to the server-log if the default log options are enabled. An attack of this type may look like this in the server log:
I 12/17/99 02:19:43 FTPD:test21:0001 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4496->193.91.161.20:21) is connected to the FTP server.
I 12/17/99 02:19:43 FTPD:test21:0002 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4497->193.91.161.20:21) is connected to the FTP server.
I 12/17/99 02:19:43 FTPD:test21:0003 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4498->193.91.161.20:21) is connected to the FTP server.
...
A large number of connections from a single IP address at the same time indicate an attack.
If logging of debug messages are enabled, the log will also show something like this:
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command ".�bl�sJw�{aP�.q"
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command "}�DGqD��YH"
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command "05(�N^ m�PÓ’¹�àÌá�ø2Qc|"
War FTP Daemon 3.0 will have three levels of protection for this and similar attacks:
- 1) Dynamic interaction with firewall software to lock out flooders
- 2) Fast accept(); close(); cycles when connections are made too fast
- 3) Traffic analysis and temporary lock-outs for hosts that make
too many connection attempts (hammering protection).
Jarle
-
Jarle Aase
Author of freeware.
For support/suggestions: alt.comp.jgaa (newsgroup)
For information: info@mail.jgaa.com(email, auto-responder)
Private Email: jgaa@mail.jgaa.com
WWW: http://www.jgaa.com/
<no need to argue - just kill'em all!>
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Ussr
> Labs
> Sent: Tuesday, December 14, 1999 7:57 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Local / Remote D.o.S Attack in War FTP Daemon 1.70
> Vulnerability
>
>
> Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability
>
> PROBLEM
>
> UssrLabs found a Local/Remote DoS Attack in War FTP Daemon 1.70
> the buffer overflow is caused by a Multiples connections at the same time
> (over 60) in the ftp server , and some characters in the login name.
>
> There is not much to expand on.... just a simple hole
>
> For the source / binary of this remote / local D.O.S
> Go to: http://www.ussrback.com/
>
> Vendor Status:
> Contacted.
>
> Vendor Url: http://www.jgaa.com
> Program Url: http://www.jgaa.com/warftpd.htm
>
> Credit: USSRLABS
>
> SOLUTION
> Nothing yet.
>
>
> u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
> http://www.ussrback.com
>
