iDEFENSE Security Advisory 11.04.02a: 
http://www.idefense.com/advisory/11.04.02a.txt
Pablo FTP Server DoS Vulnerability
November 4, 2002

I. BACKGROUND

Pablo Software Solutions' FTP Server is a multi-threaded FTP server for 
Windows 98, NT 4.0, 2000 and XP. More information about it is available at 
http://www.pablovandermeer.nl/ftp_server.html.

II. DESCRIPTION

Because of its incorrect handling of format string markers in user-provided 
input, the FTP Server can be remotely crashed if it attempts to process such 
malformed input; code execution is also a possibility. The denial of service 
condition is exploited by attempting to login to the target FTP server as '%n'.

III. ANALYSIS

Successful exploitation should crash the FTP server. What is most damaging 
about this is that the files and resources readily made available by the 
server's proper functionality are inaccessible for the duration that the server 
is attacked. While no exploit currently exists, it is possible to execute 
arbitrary code. 

IV. DETECTION

Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is 
reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP Server 
and providing a username of "%x%x%x%x" can determine susceptibility. 
The server is vulnerable if an entry such as the following is found in the 
produced log files:

[1064] 530 Please login with USER and PASS
[1064] USER f7db018409be31
[1064] 331 Password required for 247db018409be32

The username values that show up in the log files are pulled from memory 
(the stack) and should differ from system to system.

V. WORKAROUND

Use a filtering proxy server to help mitigate the attack by blocking requests 
that contain format string markers.

VI. VENDOR FIX

Version 1.51, which fixes the problem, is available at 
http://www.pablovandermeer.nl/ftpserver.zip.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project 
assigned the identification number CAN-2002-1244 to this issue.

VIII. DISCLOSURE TIMELINE

10/15/2002  Issue disclosed to iDEFENSE
10/31/2002  Author notified
10/31/2002  iDEFENSE clients notified
11/01/2002  Response received from pablovandermeer@kabelfoon.nl
11/04/2002  Coordinated Public disclosure

IX. CREDIT

Texonet (http://www.texonet.com) discovered this vulnerability.