Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
RhinoSoft Serv-U FTP Server Can Be Crashed By Remote Authenticated Users Sending Repeated 'MKD' Commands
SecurityTracker Alert ID: 1005591|
SecurityTracker URL: http://securitytracker.com/id/1005591
(Links to External Site)
Date: Nov 9 2002
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 4.0.4 and prior versions|
A denial of service vulnerability was reported in RhinoSoft's Serv-U FTP server. A remote authenticated user can cause the server to stop accepting connections.|
Secondmotion issued an advisory warning that a remote authenticated user (including an anonymous account user) can issue repetitive MKD make directory commands to cause the server to stop accepting connections.
According to the report, the software does not protect against a flood of commands.
[Editor's note: This report was apparently posted to the Bugtraq mailing list on November 6, 2002. However, as of the time of this Alert entry on November 9, 2002, the message had not yet been distributed via Bugtraq.]
A remote authenticated user (including an anonymous FTP user) can cause the FTP server to stop accepting connections.|
The vendor has issued a fixed version (4.1), available at:|
Current customers can contact technical support for more information:
Vendor URL: www.serv-u.com/ (Links to External Site)
Source Message Contents
Date: Sat, 09 Nov 2002 13:34:02 -0500|
Subject: RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability
Message From [secondmotion]-Matt Thompson <email@example.com>
-----BEGIN PGP SIGNED MESSAGE-----
secondmotion-SM-SA-02-03 Security Advisory
Topic: RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability
Tested on: Serv-U FTP 184.108.40.206 and earler
Not affected: Serv-U FTP 4.1
This advisory is based on trial and error results both locally over
a standard LAN FTP, and remote Internet FTP configurations. This
vulnerability was reproduced remotely at Cat-Soft with the permission
of Rob Beckers. This document is subject to change without prior
The software developers and software vendors were informed of this
vulnerability on 17 September 2002.
If anyone reading this is aware of any further information relating
to this vulnerability, please contact the authors below or report
While working on a new security product to detect bugs in
software, we considered that some FTP servers may work as
fast as possible to clear the buffer in Windows sockets.
Looking into this further in conjunction with our application
we realised it may be possible to cause a Denial of Service
(DoS) against certain FTP server products.
II. Problem Description
By connecting to the Serv-U FTP server as a anonymous user or
a local user then its possible to issue MKD commands.
Looping a MKD command to Serv-U it will cause the application
to stop accepting connections. Although this may be likened
to a normal DoS attack by sending mass amounts of data to the server
this vulnerability can be launched over a 56k connection, and
therefore should not be categorised as a straight DoS weakness.
The fault is caused due to Serv-U having no flood protection
against commands itself, only hammer attacks. MKD is used as it
forces Serv-u to check the user has access to the folder,
which causes it to stop processing requests.
Version 4.04 and earler are affected by this vulnerability.
Many home users/businesses use Serv-u FTP since it has a simple
GUI and also has many easy-to-use features. Using this
it is possible to remotely shutdown FTP servers operating this
As of November 01, 2002 Rhinosoft/Cat-Soft have release version 4.1
which is patched against this vulnerability. We recommend all
users upgrade to Version 4.1 of Serv-U immediately.
firstname.lastname@example.org - Matt Thompson [Proof of Concept]
email@example.com - Paul Smurthwaite
Rob Beckers - Cat-Soft [for working with us on this]
VI. Source code
A Proof of Concept tool can be provided at short notice on request.
DISCLAIMER & INFORMATION: This e-mail may contain proprietary
information, some or all of which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission
error has misdirected this e-mail, please notify the author by
replying to this e-mail. If you are not the intended recipient you
must NOT use, disclose, distribute, copy, print, or rely on this
Any and all file attachments to this message are scanned at source
for viruses. This organisation has a strict policy on the
transmission of viruses and will not accept ANY excuse for the
receipt of viruses here, as a result of which, any message found to
contain viruses will be deleted at this mail server WITHOUT being
read. Persistent offenders will be banned from sending email to this
All messages sent from this domain and its specific accounts are
digitally signed using our public PGP keys. This is your guarantee
that the email you have received actually originated from our domain.
More information on PGP can be found at http://www.pgp.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
Go to the Top of This SecurityTracker Archive Page