Home page logo
/

bugtraq logo Bugtraq mailing list archives

Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70
From: jgaa () JGAA COM (Jarle Aase)
Date: Fri, 17 Dec 1999 04:01:14 +0100


War FTP Daemon 1.70 is beta software, and will be replaced with a new major version early next year. The development on 
the 1.70 source tree has stopped, and no new versions of 1.7* is planned, - unless some serious security problems are 
reported. 

The Remote D.o.S Attack does stall the server. There is however no indication of any buffer-overflow problems or other 
security-related problems. 

The attack is logged to the server-log if the default log options are enabled. An attack of this type may look like 
this in the server log:

I 12/17/99 02:19:43 FTPD:test21:0001 (User=18446744073709551615  ) [WarFTPD::OnAccept()] Client 
(193.91.161.151:4496->193.91.161.20:21) is connected to the FTP server.
I 12/17/99 02:19:43 FTPD:test21:0002 (User=18446744073709551615  ) [WarFTPD::OnAccept()] Client 
(193.91.161.151:4497->193.91.161.20:21) is connected to the FTP server.
I 12/17/99 02:19:43 FTPD:test21:0003 (User=18446744073709551615  ) [WarFTPD::OnAccept()] Client 
(193.91.161.151:4498->193.91.161.20:21) is connected to the FTP server.
...

A large number of connections from a single IP address at the same time indicate an attack.

If logging of debug messages are enabled, the log will also show something like this:

D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615  ) [WarFTPDControlSck::OnCommand()] Got command 
".blsJw{aP.q"
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615  ) [WarFTPDControlSck::OnCommand()] Got command 
"}DGqDYH"
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615  ) [WarFTPDControlSck::OnCommand()] Got command "05(N^ 
mPӒ¹àÌáø2Qc|"

War FTP Daemon 3.0 will have three levels of protection for this and similar attacks:

   - 1) Dynamic interaction with firewall software to lock out flooders
   - 2) Fast accept(); close(); cycles when connections are made too fast
   - 3) Traffic analysis and temporary lock-outs for hosts that make
        too many connection attempts (hammering protection).

Jarle

- 
Jarle Aase
Author of freeware.

For support/suggestions: alt.comp.jgaa (newsgroup)
For information: info () mail jgaa com(email, auto-responder)
Private Email: jgaa () mail jgaa com
WWW: http://www.jgaa.com/
<no need to argue - just kill'em all!> 

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Ussr
Labs
Sent: Tuesday, December 14, 1999 7:57 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Local / Remote D.o.S Attack in War FTP Daemon 1.70
Vulnerability


Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability

PROBLEM

UssrLabs found a Local/Remote DoS Attack in War FTP Daemon 1.70
the buffer overflow is caused by a Multiples connections at the same time
(over 60) in the ftp server , and some characters in the login name.

There is not much to expand on.... just a simple hole

For the source / binary of this remote / local D.O.S
Go to: http://www.ussrback.com/

Vendor Status:
Contacted.

Vendor   Url: http://www.jgaa.com
Program Url: http://www.jgaa.com/warftpd.htm

Credit: USSRLABS

SOLUTION
    Nothing yet.


u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault