WFTPD Pro Server 3.30.0.1 (pre auth) Multiple Remote Denial of Service Vulnerabilities

Title: WFTPD Pro Server 3.30.0.1 (pre auth) Multiple Remote Denial of Service Vulnerabilities
Advisory ID: ZSL-2009-4904
Type: Remote
Impact: DoS
Risk: (1/5)
Release Date: 26.01.2009
Summary
Professional FTP server for Windows NT / 2000 / XP / 2003.
Description
WFTPD Pro Server 3.30.0.1 suffers from multiple remote vulnerabilities which resolves in denial of service. Several commands are vulnerable including: LIST, MLST, NLST, NLST -al, STAT and maybe more.

This issue is reported to affect only servers that have the 'Enable Security' configuration option disabled.
Vendor
Texas Imperial Software - http://www.wftpd.com
Affected Version
3.30.0.1
Tested On
Microsoft Windows XP Professional SP2 (English)
Vendor Status
[26.01.2009] Vendor contacted.
[27.01.2009] Vendor responds and asks more details.
[27.01.2009] Sent detailed description to vendor.
[28.01.2009] Vendor classifies the issue as a bug because of the Enable Security option being disabled.
[28.01.2009] Vendor scheduled a patch in the next upcoming release.
PoC
wftpdpro_dos.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.securityfocus.com/bid/33426
[2] http://www.packetstormsecurity.org/filedesc/wftpdpro_dos.c.txt.html
Changelog
[26.01.2009] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk