VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > VeriSign iDefense Security Intelligence Service > Current Intelligence > Vulnerability Advisories > 2002 > 11.04.02

Pablo FTP Server DoS Vulnerability

I. BACKGROUND

Pablo Software Solutions' FTP Server is a multi-threaded FTP server for Windows 98, NT 4.0, 2000 and XP. More information about it is available at http://www.pablovandermeer.nl/ftp_server.html.

II. DESCRIPTION

Because of its incorrect handling of format string markers in user-provided input, the FTP Server can be remotely crashed if it attempts to process such malformed input; code execution is also a possibility. The denial of service condition is exploited by attempting to login to the target FTP server as '%n'.

III. ANALYSIS

Successful exploitation should crash the FTP server. What is most damaging about this is that the files and resources readily made available by the server's proper functionality are inaccessible for the duration that the server is attacked. While no exploit currently exists, it is possible to execute arbitrary code.

IV. DETECTION

Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP Server and providing a username of "%x%x%x%x" can determine susceptibility. The server is vulnerable if an entry such as the following is found in the produced log files:

[1064] 530 Please login with USER and PASS
[1064] USER f7db018409be31
[1064] 331 Password required for 247db018409be32

The username values that show up in the log files are pulled from memory (the stack) and should differ from system to system.

V. WORKAROUND

Use a filtering proxy server to help mitigate the attack by blocking requests that contain format string markers.

VI. VENDOR FIX

Version 1.51, which fixes the problem, is available at http://www.pablovandermeer.nl/ftpserver.zip.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1244 to this issue.

VIII. DISCLOSURE TIMELINE

10/15/2002 Issue disclosed to iDEFENSE
10/31/2002 Author notified
10/31/2002 iDEFENSE clients notified
11/01/2002 Response received from pablovandermeer@kabelfoon.nl
11/04/2002 Public disclosure


IX. CREDIT

Texonet (http://www.texonet.com) discovered this vulnerability.


Need more information?
Speak with a service representative at 650-426-5310 Request information online


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
VeriSign iDefense Security Intelligence Service
Security Intelligence Service Levels
Alerts, Reports, and Briefings
Methodology
Research and Response Teams
Current Intelligence
Topical Research Reports
Vulnerability Advisories
Malicious Code Advisories
Information Center
Security Intelligence Webcasts
Proactive Security Intelligence
Intelligence for Patch Management
Early Threat Warning
Contact Us Careers Legal Notices Privacy Repository ©1995-2007 VeriSign, Inc. All rights reserved.
Products & Services  :  Solutions  :  Support  :  About VeriSign  :  Existing Customers
US Home  :  Worldwide Sites  :  Site Map  :  Search
VeriSign (Nasdaq: VRSN) operates intelligent infrastructure services that enable and protect billions of interactions across the world's voice and data networks. VeriSign offerings include SSL Certificates, two-factor authentication, identity protection, managed network security, public key infrastructure (PKI), security consulting, information management, as well as solutions for intelligent communications, commerce, and content. VeriSign is also building next-generation service offerings for emerging opportunities such as RFID-enabled supply chains, VoIP technology, and digital-content distribution over mobile and broadband networks.