WFTPD Pro Server 3.30.0.1 (pre auth) Multiple Remote Denial of Service Vulnerabilities
Title: WFTPD Pro Server 3.30.0.1 (pre auth) Multiple Remote Denial of Service Vulnerabilities
Advisory ID: ZSL-2009-4904
Type: Remote
Impact: DoS
Risk: (1/5)
Release Date: 26.01.2009
This issue is reported to affect only servers that have the 'Enable Security' configuration option disabled.
[27.01.2009] Vendor responds and asks more details.
[27.01.2009] Sent detailed description to vendor.
[28.01.2009] Vendor classifies the issue as a bug because of the Enable Security option being disabled.
[28.01.2009] Vendor scheduled a patch in the next upcoming release.
[2] http://www.packetstormsecurity.org/filedesc/wftpdpro_dos.c.txt.html
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2009-4904
Type: Remote
Impact: DoS
Risk: (1/5)
Release Date: 26.01.2009
Summary
Professional FTP server for Windows NT / 2000 / XP / 2003.Description
WFTPD Pro Server 3.30.0.1 suffers from multiple remote vulnerabilities which resolves in denial of service. Several commands are vulnerable including: LIST, MLST, NLST, NLST -al, STAT and maybe more.This issue is reported to affect only servers that have the 'Enable Security' configuration option disabled.
Vendor
Texas Imperial Software - http://www.wftpd.comAffected Version
3.30.0.1Tested On
Microsoft Windows XP Professional SP2 (English)Vendor Status
[26.01.2009] Vendor contacted.[27.01.2009] Vendor responds and asks more details.
[27.01.2009] Sent detailed description to vendor.
[28.01.2009] Vendor classifies the issue as a bug because of the Enable Security option being disabled.
[28.01.2009] Vendor scheduled a patch in the next upcoming release.
PoC
wftpdpro_dos.cCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.securityfocus.com/bid/33426[2] http://www.packetstormsecurity.org/filedesc/wftpdpro_dos.c.txt.html
Changelog
[26.01.2009] - Initial releaseContact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
