WzdFTPD < 8.1 Denial of Service |
ID: CVE-2007-0428 BID-22131 BID-22152
Product: WzdFTPD is a ftp server designed to be modular and portable, work under linux/win32/freebsd/openbsd, and to be entirely configurable online using SITE commands. It supports SSL, IPv6, multithreading, external scripts, and it uses Unix-like permissions and ACLs, with virtual users and groups.
WzdFTPD project also supports bandwidth limitation (per user, per group, or globally), group administrators, and per command authorization.
Scope: Remote Denial of Service
Severity: Medium
Timeline:
- [2006-12-26] Vulnerability discovered
- [2007-01-08] Vendor contacted (without answer)
- [2007-01-19] Vulnerability published
- [2007-01-31] Patched
Platforms: Any
Author: Jose Miguel Esparza
Affected versions: WzdFTPD < 8.1
Description: This vulnerability it's due to a bad truncation of blocks and later ruling out of the characters carriage return (\r), line feed (\n) and horizontal tab (\t) after authentication, resulting in a null character that the function chtlb_lookup is not able to handle.
One can reproduce it authenticating and sending a carriage return, line feed or horizontal tab (or any combination of these) or any 1024 multiple block of bytes followed by these characters. With this it's possible to kill the server causing a total denial of service.
Details:
- File: hash.c
- Function: chtbl_lookup
- Instruction: index = htab->h(key) % htab->containers;
int chtbl_lookup(const CHTBL *htab, const void *key, void **data)
{
ListElmt *element;
CHTBL_Elmnt *entry;
unsigned int index;
index = htab->h(key) % htab->containers;
for (element=list_head(&htab->table[index]); element != NULL; element = list_next(element))
{
entry = list_data(element);
if (!entry) return -1;
if (htab->match(key, entry->key)==0) {
if (data) *data = entry->data;
return 0;
}
}
return 1;
}Workaround: Add "key != NULL" condition in the chtbl_lookup function of the hash.c file until vendor solution or upgrade to 8.1. Update: patch released.
Proof of Concept: wzdftpd_dos.py
