-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== secondmotion-SM-SA-02-03 Security Advisory ===================================================================== Topic: RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability Announced: 2002-06-11 Updated: 2002-06-11 Tested on: Serv-U FTP 4.0.0.4 and earler Not affected: Serv-U FTP 4.1 Obsoletes: / http://www.secondmotion.com ===================================================================== This advisory is based on trial and error results both locally over a standard LAN FTP, and remote Internet FTP configurations. This vulnerability was reproduced remotely at Cat-Soft with the permission of Rob Beckers. This document is subject to change without prior notice. The software developers and software vendors were informed of this vulnerability on 17 September 2002. If anyone reading this is aware of any further information relating to this vulnerability, please contact the authors below or report via BugTraq. I. Background While working on a new security product to detect bugs in software, we considered that some FTP servers may work as fast as possible to clear the buffer in Windows sockets. Looking into this further in conjunction with our application we realised it may be possible to cause a Denial of Service (DoS) against certain FTP server products. II. Problem Description By connecting to the Serv-U FTP server as a anonymous user or a local user then its possible to issue MKD commands. Looping a MKD command to Serv-U it will cause the application to stop accepting connections. Although this may be likened to a normal DoS attack by sending mass amounts of data to the server this vulnerability can be launched over a 56k connection, and therefore should not be categorised as a straight DoS weakness. The fault is caused due to Serv-U having no flood protection against commands itself, only hammer attacks. MKD is used as it forces Serv-u to check the user has access to the folder, which causes it to stop processing requests. III. Impact: Version 4.04 and earler are affected by this vulnerability. Many home users/businesses use Serv-u FTP since it has a simple GUI and also has many easy-to-use features. Using this vulnerability, it is possible to remotely shutdown FTP servers operating this server application. IV. Solution As of November 01, 2002 Rhinosoft/Cat-Soft have release version 4.1 which is patched against this vulnerability. We recommend all users upgrade to Version 4.1 of Serv-U immediately. http://www.serv-u.com/download.htm V. Credits matt@secondmotion.com - Matt Thompson [Proof of Concept] paul@secondmotion.com - Paul Smurthwaite Rob Beckers - Cat-Soft [for working with us on this] VI. Source code A Proof of Concept tool can be provided at short notice on request. ===================================================================== - -ends- Matt Thompson - ---- DISCLAIMER & INFORMATION: This e-mail may contain proprietary information, some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must NOT use, disclose, distribute, copy, print, or rely on this e-mail. Any and all file attachments to this message are scanned at source for viruses. This organisation has a strict policy on the transmission of viruses and will not accept ANY excuse for the receipt of viruses here, as a result of which, any message found to contain viruses will be deleted at this mail server WITHOUT being read. Persistent offenders will be banned from sending email to this domain. All messages sent from this domain and its specific accounts are digitally signed using our public PGP keys. This is your guarantee that the email you have received actually originated from our domain. More information on PGP can be found at http://www.pgp.com - ---- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPckdXhqqCKK1Qd1fEQJSnwCgrr4Y32lXQCeXo1SbnFR2hsF9TbEAoIwP p+bGb34fPVVxmpoM4dzvDPvT =2KxE -----END PGP SIGNATURE-----
