Pablo FTP Server Username Format String

2004-04-08T22:56:11
ID OSVDB:4996
Type osvdb
Reporter Texonet()
Modified 2004-04-08T22:56:11

Description

Vulnerability Description

Pablo FTP Server contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker supplies a username containing format specifiers, and will result in loss of availability for the service. It is believed that execution of arbitrary code is possible as well.

Solution Description

Upgrade to version 1.51 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by installing a filtering proxy that block requests containing format string markers.

Short Description

Pablo FTP Server contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker supplies a username containing format specifiers, and will result in loss of availability for the service. It is believed that execution of arbitrary code is possible as well.

Manual Testing Notes

Connecting to an arbitrary Pablo FTP Server and providing a username of "%x%x%x%x" can determine susceptibility. The server is vulnerable if an entry such as the following is found in the produced log files:

[1064] 530 Please login with USER and PASS [1064] USER f7db018409be31 [1064] 331 Password required for 247db018409be32

The username values that show up in the log files are pulled from memory (the stack) and should differ from system to system.

References:

Secunia Advisory ID:7439 Other Advisory URL: http://www.idefense.com/application/poi/display?id=42&type=vulnerabilities Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2002-q4/0375.html ISS X-Force ID: 10532 CVE-2002-1244 Bugtraq ID: 6099