Home / vulnerabilities wsftp75290-dos.txt
Posted on 13 July 2007
Source : packetstormsecurity.org Link
IPSwitch WS_FTP Logging Server Remote Denial of Service
------------------------------------------------
Version: 7.5.29.0 (Logsrv.exe)
Overview
--------
The WS FTP logging server is a daemon that listens on UDP port 5151 and
is shipped with WS FTP and by default is turned on and used by the local
WS FTP instance. It binds to the public IP address of the server and is
accessible externally, in part so that other WS FTP machines are able to
use it as a logging interface.
Description of Crash
--------------------
WS FTP uses a binary protocol to speak to the logging daemon, and each
transmission begins with a two byte header "0xab 0xaa". If using a long
string of characters to mangle the remaining portions of the message, a
pointer operation fails at:
0x00401769
cmp word ptr [ecx], 0AAADh
jnz short loc_401787
This crashes the process. By flipping two bytes immediately after the
two primary header bytes, you are also able to control where the
dereferencing address is at the time of the crash. However, this does
not appear to allow code execution on the remote host as the address
referenced is too far away from any user supplied input.
Discovered By
----------------
Justin Seitz of VDA Labs LLC (jseitz@vdalabs.com)
Full advisory and attack code location:
----------------------------------------
http://www.vdalabs.com/resources
http://www.vdalabs.com/tools/ipswitch.html
ipswitchlogsrv-killer.py - Change the IP and PORT numbers as necessary
at the top of the file. There are two bytes that lead to different
address offsets where the pointer dereference is attempted.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/