Re: INFIGO-2006-05-03: Multiple FTP Servers vulnerabilities
<snip>
>-[ FileZilla vulnerabilities
>
>A few vulnerabilities in FileZilla weren't investigated beyond the crash.
>At
>the moment there is no further information whether those vulnerabilities
>are
>exploitable.
>The first vulnerability is triggered by sending a long PORT or PASS
command
>(30
>bytes) and MLSD command after it. This causes FileZilla to crash (DoS).
>The second vulnerability found in the FileZilla Server interface also
leads
>to
>the DoS conditions.
>
<snip>
I tried reproduce given exploit, but no DoS here.
Here is log of a session done against FileZilla server:
(000007) 2006-05-09 09:34:23 - (not logged in) (192.168.200.22)> USER test
(000007) 2006-05-09 09:34:23 - (not logged in) (192.168.200.22)> 331
Password required for test
(000007) 2006-05-09 09:34:25 - (not logged in) (192.168.200.22)> PASS ****
(000007) 2006-05-09 09:34:25 - test (192.168.200.22)> 230 Logged on
(000007) 2006-05-09 09:34:45 - test (192.168.200.22)> PORT
123456789012345678901234567890
(000007) 2006-05-09 09:34:45 - test (192.168.200.22)> 501 Syntax error
(000007) 2006-05-09 09:34:49 - test (192.168.200.22)> MLSD
(000007) 2006-05-09 09:34:49 - test (192.168.200.22)> 503 Bad sequence of
commands.
(000007) 2006-05-09 09:35:05 - test (192.168.200.22)> USER test
(000007) 2006-05-09 09:35:05 - (not logged in) (192.168.200.22)> 331
Password required for test
(000007) 2006-05-09 09:35:11 - (not logged in) (192.168.200.22)> PASS
******************************
(000007) 2006-05-09 09:35:11 - (not logged in) (192.168.200.22)> 530 Login
or password incorrect!
(000007) 2006-05-09 09:35:15 - (not logged in) (192.168.200.22)> MLSD
(000007) 2006-05-09 09:35:15 - (not logged in) (192.168.200.22)> 530 Please
log in with USER and PASS first.
Please show log of exploit, to be able reproduce ur results.
Please note 2.2.22 is version of FileZila client.
Latest FileZilla server version is 0_9_16c