COMMAND

    WFTPD

SYSTEMS AFFECTED

    WFTPD v3.00R5

PROBLEM

    WFTPD v3.00R5  is an  ftp server.   A potential  denial-of-service
    vulnerability exists which  allows a remote  attacker to hang  the
    server.

    When a user attempts to  change the current directory, the  server
    first  queries  the  directory,  then  determines if the operation
    should be allowed.   This implementation exposes  the server to  a
    DOS attack if  a malicious attacker  continuously tries to  change
    the current directory to the server's floppy drive.

    The following is an illustration of the problem:

        > ftp localhost
        Connected to xxxxxxxxxx.rh.rit.edu.
        220-This FTP site is running a copy of WFTPD that is NOT REGISTERED
        ..
        .. <registration nag header is edited out >
        ..
        220 WFTPD 3.0 service (by Texas Imperial Software) ready for new user
        User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
        331 Give me your password, please
        Password:
        230 Logged in successfully
        ftp> cd a:/
        501 User is not allowed to change to a:/ - returning to /.
        ftp>

    The server correctly denies the action, but queries the A:\  drive
    anyway.   A DOS  can achieved  by repeating  the 'cd  a:/' command
    continuously.  This problem  will have varying effects,  depending
    on your system configuration.

    An exploit written in PERL is available at:

        http://hogs.rit.edu/~joet/code/floppy_hell.pl

SOLUTION

    Disable  your  floppy  drive  in  your  system BIOS if your system
    configuration is vulnerable.

    Alun Jones, the  program author, verified  the behavior and  plans
    on releasing a fix in the v3.1 branch.