From dendler@idefense.com Sat Nov 9 10:46:34 2002 From: David Endler To: full-disclosure@lists.netsys.com Date: Mon, 4 Nov 2002 00:43:58 -0500 Subject: [Full-Disclosure] iDEFENSE Security Advisory 11.04.02a: Pablo FTP Server DoS Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.04.02a: http://www.idefense.com/advisory/11.04.02a.txt Pablo FTP Server DoS Vulnerability November 4, 2002 I. BACKGROUND Pablo Software Solutions' FTP Server is a multi-threaded FTP server for Windows 98, NT 4.0, 2000 and XP. More information about it is available at http://www.pablovandermeer.nl/ftp_server.html. II. DESCRIPTION Because of its incorrect handling of format string markers in user-provided input, the FTP Server can be remotely crashed if it attempts to process such malformed input; code execution is also a possibility. The denial of service condition is exploited by attempting to login to the target FTP server as '%n'. III. ANALYSIS Successful exploitation should crash the FTP server. What is most damaging about this is that the files and resources readily made available by the server's proper functionality are inaccessible for the duration that the server is attacked. While no exploit currently exists, it is possible to execute arbitrary code. IV. DETECTION Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP Server and providing a username of "%x%x%x%x" can determine susceptibility. The server is vulnerable if an entry such as the following is found in the produced log files: [1064] 530 Please login with USER and PASS [1064] USER f7db018409be31 [1064] 331 Password required for 247db018409be32 The username values that show up in the log files are pulled from memory (the stack) and should differ from system to system. V. WORKAROUND Use a filtering proxy server to help mitigate the attack by blocking requests that contain format string markers. VI. VENDOR FIX Version 1.51, which fixes the problem, is available at http://www.pablovandermeer.nl/ftpserver.zip. VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1244 to this issue. VIII. DISCLOSURE TIMELINE 10/15/2002 Issue disclosed to iDEFENSE 10/31/2002 Author notified 10/31/2002 iDEFENSE clients notified 11/01/2002 Response received from pablovandermeer@kabelfoon.nl 11/04/2002 Coordinated public disclosure IX. CREDIT Texonet (http://www.texonet.com) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world ^× from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPcYIW0rdNYRLCswqEQINEACguhUQdfsZMdi1ghixV8EzWztab7cAoPXf /vGQAyMHjmc1fXCz9Kb8zHi5 =ATmX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html