SurgeFTP is susceptible to a LEAK command denial of service vulnerability. Tested versions include SurgeFTP versions 2.2m1 and 2.2k3 Windows on English Win2K SP4, WinXP SP2.
870f7f9a0e500e8dfffd3386dd856ff95f0c6018ebb9e1b154f414caa090d494
SIG^2 Vulnerability Research Advisory
SurgeFTP LEAK Command Denial-Of-Service Vulnerability
by Tan Chew Keong
Release Date: 07 Apr 2005
ADVISORY URL
http://www.security.org.sg/vuln/surgeftp22m1.html
SUMMARY
SurgeFTP (http://netwinsite.com/surgeftp/) is an FTP server with SSL/TLS security, easy management and cross platform support. It is available for Windows, Solaris and Linux. A denial-of-service vulnerability was found in SurgeFTP, which may be exploited to crash the server or to prevent it from correctly serving files.
TESTED SYSTEM
SurgeFTP Version 2.2m1 and 2.2k3 Windows on English Win2K SP4, WinXP SP2.
DETAILS
SurgeFTP is an FTP server with SSL/TLS security, easy management and cross platform support. It is available for Windows, Solaris and Linux. A denial-of-service vulnerability was found in SurgeFTP, which may be exploited to crash the server or to prevent it from correctly serving files.
SurgeFTP responds to a non-standard FTP command, LEAK. It is postulated that this command may have been intended to be used to test the server's response to file handle leakages. Upon receiving the LEAK command, SurgeFTP will call the cmd_leak() function. cmd_leak() will in turn call the mgr_cmd_openmore() function. mgr_cmd_openmore() will open the file "a.a_write" 925 times, thus potentially causing the process to run out of file handles.
Subsequently, the main thread will call the detect_imobilizing_bug() function. This function will try to open 9 test files. i.e. testfile.0, testfile.1, ..., testfile.9. If the LEAK command has been issued before, this function will be unable to open any of the 9 test files. This causes a code branch to be taken that will cause a write exception.
This LEAK command can be sent prior to authentication. i.e. it can be sent immediately after connecting to the FTP server. On a Win2K system, this will cause SurgeFTP to stop receiving any connections until the service is automatically restarted by the SC Manager. On a WinXP system, SurgeFTP will continue to accept FTP connections, but will be unable to send or receive any files. Logging of FTP commands to cmds.log will also fail until the server is automatically restarted.
PATCH
Upgrade to version 2.2m2.
DISCLOSURE TIMELINE
03 Apr 05 - Vulnerability Discovered.
05 Apr 05 - Initial Vendor Notification.
06 Apr 05 - Vendor Released Fixed Version.
07 Apr 05 - Public Release.
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed