SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Pablo's FTP Server Vendors:   Pablo Software Solutions
Pablo's FTP Server Input Validation Flaw Lets Remote Users Crash the FTP Service or Possibly Execute Arbitrary Code
SecurityTracker Alert ID:  1005527
SecurityTracker URL:  http://securitytracker.com/id/1005527
CVE Reference:   CVE-2002-1244   (Links to External Site)
Date:  Nov 4 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.5 and some prior versions
Description:   An input validation vulnerability was reported in Pablo's FTP Server for Microsoft Windows platforms. A remote user can cause the FTP service to crash. Remote code execution may also be possible.

iDEFENSE reported that the software does not properly process format string characters in user-supplied input. A remote user can supply a specially crafted string while attempting to login to cause the FTP service to crash. According to the report, it may also be possible for the remote user to cause arbitrary code to be executed.

To deterine if your server is vulnerable, you can reportedly provide a username of "%x%x%x%x" and then check the log for unusual values for the USER name.

Impact:   A remote user can cause the FTP service to crash. A remote user may be able to cause arbitrary code to be executed with the privileges of the FTP service.
Solution:   The vendor has released a fixed version (1.51), available at:

http://www.pablovandermeer.nl/ftpserver.zip

Vendor URL:  www.pablovandermeer.nl/ftp_server.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (98), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] iDEFENSE Security Advisory 11.04.02a: Pablo FTP Server DoS Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 11.04.02a: 
http://www.idefense.com/advisory/11.04.02a.txt
Pablo FTP Server DoS Vulnerability
November 4, 2002

I. BACKGROUND

Pablo Software Solutions' FTP Server is a multi-threaded FTP server
for Windows 98, NT 4.0, 2000 and XP. More information about it is
available at http://www.pablovandermeer.nl/ftp_server.html.

II. DESCRIPTION

Because of its incorrect handling of format string markers in
user-provided input, the FTP Server can be remotely crashed if it
attempts to process such malformed input; code execution is also a
possibility. The denial of service condition is exploited by
attempting to login to the target FTP server as '%n'.

III. ANALYSIS

Successful exploitation should crash the FTP server. What is most
damaging about this is that the files and resources readily made
available by the server's proper functionality are inaccessible for
the duration that the server is attacked. While no exploit currently
exists, it is possible to execute arbitrary code. 

IV. DETECTION

Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is
reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP
Server and providing a username of "%x%x%x%x" can determine
susceptibility. The server is vulnerable if an entry such as the
following is found in the produced log files:

[1064] 530 Please login with USER and PASS
[1064] USER f7db018409be31
[1064] 331 Password required for 247db018409be32

The username values that show up in the log files are pulled from
memory (the stack) and should differ from system to system.

V. WORKAROUND

Use a filtering proxy server to help mitigate the attack by blocking
requests that contain format string markers.

VI. VENDOR FIX

Version 1.51, which fixes the problem, is available at
http://www.pablovandermeer.nl/ftpserver.zip.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1244 to this issue.

VIII. DISCLOSURE TIMELINE

10/15/2002	Issue disclosed to iDEFENSE
10/31/2002	Author notified
10/31/2002	iDEFENSE clients notified
11/01/2002	Response received from pablovandermeer@kabelfoon.nl
11/04/2002	Coordinated public disclosure

IX. CREDIT

Texonet (http://www.texonet.com) discovered this vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPcYIW0rdNYRLCswqEQINEACguhUQdfsZMdi1ghixV8EzWztab7cAoPXf
/vGQAyMHjmc1fXCz9Kb8zHi5
=ATmX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC