Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability

RhinoSoft Serv-U FTP Anonymous Remote DoS Vulnerability

by Nikola Strahija on November 9th, 2002 Tested on: Serv-U FTP 4.0.0.4 and earler


Not affected: Serv-U FTP 4.1
Obsoletes: /
http://www.secondmotion.com
=====================================================================

This advisory is based on trial and error results both locally over
a standard LAN FTP, and remote Internet FTP configurations. This
vulnerability was reproduced remotely at Cat-Soft with the permission
of Rob Beckers. This document is subject to change without prior
notice.

The software developers and software vendors were informed of this
vulnerability on 17 September 2002.

If anyone reading this is aware of any further information relating
to this vulnerability, please contact the authors below or report
via BugTraq.


I. Background

While working on a new security product to detect bugs in
software, we considered that some FTP servers may work as
fast as possible to clear the buffer in Windows sockets.
Looking into this further in conjunction with our application
we realised it may be possible to cause a Denial of Service
(DoS) against certain FTP server products.

II. Problem Description

By connecting to the Serv-U FTP server as a anonymous user or
a local user then its possible to issue MKD commands.
Looping a MKD command to Serv-U it will cause the application
to stop accepting connections. Although this may be likened
to a normal DoS attack by sending mass amounts of data to the server
this vulnerability can be launched over a 56k connection, and
therefore should not be categorised as a straight DoS weakness.
The fault is caused due to Serv-U having no flood protection
against commands itself, only hammer attacks. MKD is used as it
forces Serv-u to check the user has access to the folder,
which causes it to stop processing requests.

III. Impact:

Version 4.04 and earler are affected by this vulnerability.
Many home users/businesses use Serv-u FTP since it has a simple
GUI and also has many easy-to-use features. Using this
vulnerability,
it is possible to remotely shutdown FTP servers operating this
server application.

IV. Solution

As of November 01, 2002 Rhinosoft/Cat-Soft have release version 4.1
which is patched against this vulnerability. We recommend all
users upgrade to Version 4.1 of Serv-U immediately.
http://www.serv-u.com/download.htm


V. Credits

[email protected] - Matt Thompson [Proof of Concept]
[email protected] - Paul Smurthwaite
Rob Beckers - Cat-Soft [for working with us on this]

VI. Source code

A Proof of Concept tool can be provided at short notice on request.

=====================================================================
- -ends-


Matt Thompson

- ----
DISCLAIMER & INFORMATION: This e-mail may contain proprietary
information, some or all of which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission
error has misdirected this e-mail, please notify the author by
replying to this e-mail. If you are not the intended recipient you
must NOT use, disclose, distribute, copy, print, or rely on this
e-mail.

Any and all file attachments to this message are scanned at source
for viruses. This organisation has a strict policy on the
transmission of viruses and will not accept ANY excuse for the
receipt of viruses here, as a result of which, any message found to
contain viruses will be deleted at this mail server WITHOUT being
read. Persistent offenders will be banned from sending email to this
domain.

All messages sent from this domain and its specific accounts are
digitally signed using our public PGP keys. This is your guarantee
that the email you have received actually originated from our domain.
More information on PGP can be found at http://www.pgp.com
- ----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »