Potential DOS Vulnerability in WFTPD

Type securityvulns
Reporter Securityvulns
Modified 2001-05-04T00:00:00


----- Begin Hush Signed Message from joetesta@hushmail.com -----

Potential DOS Vulnerability in WFTPD


WFTPD v3.00R5 is an ftp server available from http://www.wftpd.com and http://www.download.com. A potential denial-of-service vulnerability exists which allows a remote attacker to hang the server.


When a user attempts to change the current directory, the server first queries the directory, then determines if the operation should be allowed. This implementation exposes the server to a DOS attack if a malicious attacker continuously tries to change the current directory to the server's floppy drive. The following is an illustration of the problem:

> ftp localhost Connected to xxxxxxxxxx.rh.rit.edu. 220-This FTP site is running a copy of WFTPD that is NOT REGISTERED .. .. <registration nag header is edited out > .. 220 WFTPD 3.0 service (by Texas Imperial Software) ready for new user User (xxxxxxxxxx.rh.rit.edu:(none)): jdog 331 Give me your password, please Password: 230 Logged in successfully ftp> cd a:/ 501 User is not allowed to change to a:/ - returning to /. ftp>

The server correctly denies the action, but queries the A:&#92; drive

anyway. A DOS can achieved by repeating the 'cd a:/' command continuously. This problem will have varying effects, depending on your system configuration. An exploit written in PERL is available at: http://hogs.rit.edu/~joet/code/floppy_hell.pl


Disable your floppy drive in your system BIOS if your system configuration is vulnerable.

Vendor Status

Texas Imperial Software was contacted via <support@texis.com> and <info@texis.com> on Wednesday, April 25, 2001. Alun Jones, the program author, verified the behavior and plans on releasing a fix in the v3.1 branch.

- Joe Testa

e-mail: joetesta@hushmail.com web page: http://hogs.rit.edu/~joet AIM: LordSpankatron

----- Begin Hush Signature v1.3 ----- AIvjUxz+1xWYY/jIMUmHSud2wHZWCOIjJq/uVKIg/vz7ZFrfAu3IAgbltZtyKz9Hud03 1dBLyvynqMClThgETOW1Mjv4NLWhBRfg2gi7CpfrUfuyVFD0EeDFTyLScE93sIA+FE/K XCfZwnIGPgI65ZIUNcUI6+gDikKHGS9qsClUNACHQegBQ18T4ZTkzmmng3/Yes3PJUA+ E0GQb2dOymOgpD9rdW+6wa3Ou2lms/xWXkVt1Ktfw5Lf+k1mnc/qaIU+KDpoZpl0h77E cq7ZhCKALsF1IIlO/xGOZ6eZrWrdSibQtJaZ8B7HUsv9+j6ltAfEFJbCO0PkHxXWU/5a PwBo5qc2FogtQ1N5289gWUsKqJHqpt5WKMNcS+PIWAsBlxgxRPO4cuIzGnT/zBcWcDab 8iHF2uo46H4h5NaQoOYCTy0u/E7RACIsyFLr6BsgHINBaA8fywiEheyitb79lRYcd8BJ 7JJtCkbccr30PeBvPC2TzeEdFwqtlVEE3sIx+qQ8IUxo ----- End Hush Signature v1.3 -----

This message has been signed with a Hush Digital Signature. To verify the signature, please go to www.hush.com/tools

Free, encrypted, secure Web-based email at www.hushmail.com