Dream FTP Server Format String Flaw Lets Remote Users Crash the FTP Service
|
|
SecurityTracker Alert ID: 1008976
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 7 2004
|
Impact: Denial of service via network
|
Advisory: SP Research Labs
|
Version(s): 1.02
|
Description: badpack3t of SP Research Labs reported a format string vulnerability in Dream FTP Server. A remote user can cause the FTP service to crash.
It is reported that a remote user can connect to the target FTP service and supply the following string for the username value to
cause the FTP service to crash:
%n%n%n
It may be possible to execute arbitrary code on the target system, but the report did
not investigate the potential for code execution.
The original advisory is available at:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=17
22
|
Impact: A remote user can cause the FTP service to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.bolintech.com/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Windows (Any)
|
Reported By: badpack3t <badpack3t@security-protocols.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 7 Feb 2004 01:09:47 -0500 (EST)
From: badpack3t <badpack3t@security-protocols.com>
Subject: DreamFTP 1.02 Format String
|
This is a multi-part message in MIME format.
--------------060707090609020104020803
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
[Editor's note: The author (badpack3t) has reported that the flaw is a format string bug,
not a buffer overflow.]
Hi,
Can you please publish the following advisory on your site?
http://www.security-protocols.com/modules.php?name=News&file=article&sid=1722
Thanks,
badpack3t
founder
www.security-protocols.com
--------------060707090609020104020803
Content-Type: text/plain;
name="sp-x09-advisory.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="sp-x09-advisory.txt"
SP Research Labs Advisory x09
-----------------------------
DreamFTP 1.02 Buffer Overflow
------------------------------------
Vendor Home Page:
http://www.bolintech.com/
Date Released - 2.6.2004
------------------------------------
Product Description from the vendor:
Dream FTP Server provides powerful, multithreaded and robust FTP server performance with a user-frien
dly and easy-of-use interfaces.
--------------------
Buffer Overflow
When connecting to the ftp server and supplying %n%n%n for the username, the ftp server crashes.
Example:
--------
C:\>ftp 192.168.1.101
Connected to 192.168.1.101.
220- ****************************************
220-
220- Welcome to Dream FTP Server
220- Copyright 2002 - 2004
220- BolinTech Inc.
220-
220- ****************************************
220-
220
User (192.168.1.101:(none)): %n%n%n
Connection closed by remote host.
**Application Crashes**
----------
Exploit:
Not worth the time to debug and code an exploit.
-----------------------
Tested on WindowsXP SP1
Original Advisory:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=1722
peace out,
------------------------------
badpack3t
www.security-protocols.com
http://fux0r.phathookups.com
------------------------------
--------------060707090609020104020803--
|
|
