[SIG^2 G-TEC] SurgeFTP LEAK Command Denial-Of-Service Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [SIG^2 G-TEC] SurgeFTP LEAK Command Denial-Of-Service Vulnerability
From: <chewkeong@xxxxxxxxxxxxxxx>
Date: 7 Apr 2005 15:54:53 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


SIG^2 Vulnerability Research Advisory

SurgeFTP LEAK Command Denial-Of-Service Vulnerability

by Tan Chew Keong
Release Date: 07 Apr 2005


ADVISORY URL
http://www.security.org.sg/vuln/surgeftp22m1.html


SUMMARY

SurgeFTP (http://netwinsite.com/surgeftp/) is an FTP server with SSL/TLS 
security, easy management and cross platform support. It is available for 
Windows, Solaris and Linux. A denial-of-service vulnerability was found in 
SurgeFTP, which may be exploited to crash the server or to prevent it from 
correctly serving files.
 
 
TESTED SYSTEM

SurgeFTP Version 2.2m1 and 2.2k3 Windows on English Win2K SP4, WinXP SP2.

 
DETAILS

SurgeFTP is an FTP server with SSL/TLS security, easy management and cross 
platform support. It is available for Windows, Solaris and Linux. A 
denial-of-service vulnerability was found in SurgeFTP, which may be exploited 
to crash the server or to prevent it from correctly serving files.

SurgeFTP responds to a non-standard FTP command, LEAK. It is postulated that 
this command may have been intended to be used to test the server's response to 
file handle leakages. Upon receiving the LEAK command, SurgeFTP will call the 
cmd_leak() function. cmd_leak() will in turn call the mgr_cmd_openmore() 
function. mgr_cmd_openmore() will open the file "a.a_write" 925 times, thus 
potentially causing the process to run out of file handles. 

Subsequently, the main thread will call the detect_imobilizing_bug() function. 
This function will try to open 9 test files. i.e. testfile.0, testfile.1, ..., 
testfile.9. If the LEAK command has been issued before, this function will be 
unable to open any of the 9 test files.  This causes a code branch to be taken 
that will cause a write exception.

This LEAK command can be sent prior to authentication. i.e. it can be sent 
immediately after connecting to the FTP server. On a Win2K system, this will 
cause SurgeFTP to stop receiving any connections until the service is 
automatically restarted by the SC Manager. On a WinXP system, SurgeFTP will 
continue to accept FTP connections, but will be unable to send or receive any 
files. Logging of FTP commands to cmds.log will also fail until the server is 
automatically restarted.


PATCH

Upgrade to version 2.2m2.

 
DISCLOSURE TIMELINE

03 Apr 05 - Vulnerability Discovered.
05 Apr 05 - Initial Vendor Notification.
06 Apr 05 - Vendor Released Fixed Version.
07 Apr 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."

Prev by Date: Re: [ GLSA 200503-12 ] Hashcash: Format string vulnerability
Next by Date: Re: crontab from vixie-cron allows read other users crontabs
Previous by thread: [ GLSA 200504-06 ] sharutils: Insecure temporary file creation
Next by thread: iDEFENSE Security Advisory 04.07.05: SGI IRIX gr_osview Information Disclosure Vulnerability
Index(es):
- Date
- Thread