Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Thursday, June 11, 2009

XM Personal FTP Server vulnerability

Recently I discovered a Denial-of-Service vulnerability in XM Personal FTP Server 5.7. This is a easy to use FTP Server application which can help you create a FTP server really fast without any complex configuration.

This vulnerability was actually discovered in May. Despite of trying multiple times to contact the author of this software, he did not respond to my communication. So eventually I decided to post the details of the vulnerability as well as the PoC on Bugtraq.

The vulnerability exists because the application fails to handle arguments passed to some of the standard FTP commands such as HELP and TYPE. This vulnerability was actually discovered accidentally when I was trying to figure out how to use fuzzing tools ! :) ... The tool used for this was FTP Fuzzer 1.0 from Infigo which a nice tool for fuzzing. This is just a DoS vulnerability and remote code execution is not possible. For some strange reason Security Focus has mentioned that remote code execution is possible, but I don't think so.

Some time I will make an article on Fuzzing. Its pretty interesting concept and in fact I am also writing a protocol fuzzer. Hopefully it should be done soon !

Details of the vulnerability available at -

No comments:

Post a Comment