COMMAND

    SunFTP

SYSTEMS AFFECTED

    SunFTP Build: 9(1)

PROBLEM

    Aviram  Jenik  found  following.   SunFTP  is  a  small FTP server
    written in Delphi.   This product contains  a few  vulnerabilities
    in  its  socket  module.   First,  it  is  possible to cause it to
    overflow  its  receiving  buffer.   Second,  SunFTP can be crashed
    remotely by disconnecting the  session without sending a  complete
    command.

    Buffer overflow problem:
    ========================
    To test for this vulnerability,  connect to the server and  send a
    buffer of 2100 characters.

        perl -e "print \"GET @{['x'x2100]} HTTP/1.0\n\n\""|nc 127.1 80

    The server crashes, and this enables attackers to launch a  Denial
    of Service attack against the product.

    To  test  for  this  vulnerability,  connect  to the server with a
    non-FTP  program   (for  example,   telnet).    Now   disconnected
    immediately (or after sending a  buffer), but make sure you  don't
    send  a   newline  ('\r\n').    The  server   will  crash   almost
    immediately.

    It is possible to detect a vulnerable SunFTP server by looking for
    the following FTP banner:

        220 hostname FTP Server (SunFTP b9) ready on port 21

    The security hole was discovered by Beyond Security's SecuriTeam.

SOLUTION

    Since  this  is  a  discontinued  project,  and the author has not
    responded to email  of bug founder,  it is suggested  switching to
    another FTP Server.