I will be sure to patch for this serious exploit vulnerability proof of concept code hack so that my machines cannot be cracked.
J On Thu, 12 Jul 2007 00:15:32 -0400 Jared DeMott <[EMAIL PROTECTED]> wrote: >IPSwitch WS_FTP Logging Server Remote Denial of Service >------------------------------------------------ >Version: 7.5.29.0 (Logsrv.exe) > >Overview >-------- >The WS FTP logging server is a daemon that listens on UDP port >5151 and >is shipped with WS FTP and by default is turned on and used by the >local >WS FTP instance. It binds to the public IP address of the server >and is >accessible externally, in part so that other WS FTP machines are >able to >use it as a logging interface. > >Description of Crash >-------------------- >WS FTP uses a binary protocol to speak to the logging daemon, and >each >transmission begins with a two byte header "0xab 0xaa". If using a >long >string of characters to mangle the remaining portions of the >message, a >pointer operation fails at: >0x00401769 > >cmp word ptr [ecx], 0AAADh >jnz short loc_401787 > >This crashes the process. By flipping two bytes immediately after >the >two primary header bytes, you are also able to control where the >dereferencing address is at the time of the crash. However, this >does >not appear to allow code execution on the remote host as the >address >referenced is too far away from any user supplied input. > >Discovered By >---------------- >Justin Seitz of VDA Labs LLC ([EMAIL PROTECTED]) > > >Full advisory and attack code location: >---------------------------------------- >http://www.vdalabs.com/resources >http://www.vdalabs.com/tools/ipswitch.html > >ipswitchlogsrv-killer.py - Change the IP and PORT numbers as >necessary >at the top of the file. There are two bytes that lead to different >address offsets where the pointer dereference is attempted. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -- Click to lower your debt and consolidate your monthly expenses http://tagline.hushmail.com/fc/Ioyw6h4d716878MGXyA105YJMeLioAE5OXJBN3lPtxoU6pi90kPhcE/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
