WzdFTPD < 8.1 Denial of Service

ID: CVE-2007-0428  BID-22131  BID-22152

Product: WzdFTPD is a ftp server designed to be modular and portable, work under linux/win32/freebsd/openbsd, and to be entirely configurable online using SITE commands. It supports SSL, IPv6, multithreading, external scripts, and it uses Unix-like permissions and ACLs, with virtual users and groups.

WzdFTPD project also supports bandwidth limitation (per user, per group, or globally), group administrators, and per command authorization.

Scope: Remote Denial of Service

Severity: Medium

Timeline:

  • [2006-12-26] Vulnerability discovered
  • [2007-01-08] Vendor contacted (without answer)
  • [2007-01-19] Vulnerability published
  • [2007-01-31] Patched
     

Platforms: Any

Author: Jose Miguel Esparza

Affected versions: WzdFTPD < 8.1

Description: This vulnerability it's due to a bad truncation of blocks and later ruling out of the characters carriage return (\r), line feed (\n) and horizontal tab (\t) after authentication, resulting in a null character that the function chtlb_lookup is not able to handle.

One can reproduce it authenticating and sending a carriage return, line feed or horizontal tab (or any combination of these) or any 1024 multiple block of bytes followed by these characters. With this it's possible to kill the server causing a total denial of service.

Details:

  • File:  hash.c
  • Function:  chtbl_lookup
  • Instruction:  index = htab->h(key) % htab->containers;
     
int chtbl_lookup(const CHTBL *htab, const void *key, void **data)
{
ListElmt *element;
CHTBL_Elmnt *entry;
unsigned int index;

index = htab->h(key) % htab->containers;

for (element=list_head(&htab->table[index]); element != NULL; element = list_next(element))
{
entry = list_data(element);
if (!entry) return -1;
if (htab->match(key, entry->key)==0) {
if (data) *data = entry->data;
return 0;
}
}

return 1;
}

Workaround: Add "key != NULL" condition in the chtbl_lookup function of the hash.c file until vendor solution or upgrade to 8.1. Update: patch released.

Proof of Concept: wzdftpd_dos.py