####################################################################### Luigi Auriemma Application: FTP Log Server http://www.wsftp.com Versions: <= 7.9.14.0 Platforms: Windows Bug: socket termination Exploitation: remote Date: 04 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== FTP Log Server is a daemon installed and running with Ipswitch WS_FTP which works on the UDP port 5151 and is used for all the logging operations of this FTP server. ####################################################################### ====== 2) Bug ====== Sending more than 20 packets of a size major than 4096 bytes (the maximum size of a packet which can be received by the server) within less than one second between them causes the silent termination of the listening socket (offset 004013FD), so the process of the daemon will continue to be active but it will no longer handle the log commands of the FTP or any other server which supports it. Although the daemon binds all the interfaces (and I doubt an admin leaves the UDP port 5151 accessible from Internet, moreover to avoid custom entries in the XML logs) the main scenario of a possible exploiting of this vulnerability is in a LAN environment for example used for disabling the logging service and starting a brute forcing attack versus the machine on which is running the FTP server and so on. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -l 100 SERVER 5151 4097 ####################################################################### ====== 4) Fix ====== No fix #######################################################################