############################################################## - S21Sec Advisory - ############################################################## Title: WzdFTPD Denial of Service ID: S21SEC-033-en Severity: High - Server killed History: 26.Dic.2006 Vulnerability discovered 8.Ene.2007 Vendor contacted Scope: Server Denial of Service Platforms: Any Author: Jose Miguel Esparza (jesparza@s21sec.com) URL: http://www.s21sec.com/avisos/s21sec-033-en.txt Release: Public [ SUMMARY ] WzdFTPD is a ftp server designed to be modular and portable, work under linux/win32/freebsd/openbsd, and to be entirely configurable online using SITE commands. It supports SSL, IPv6, multithreading, external scripts, and it uses Unix-like permissions and ACLs, with virtual users and groups. WzdFTPD project also supports bandwith limitation (per user, per group, or globally), group administrators, and per command authorization. [ AFFECTED VERSIONS ] Following versions are affected with this issue: - WzdFTPD v8.0 and prior. [ DESCRIPTION ] This vulnerability it's due to a bad truncation of blocks and later ruling out of the characters carriage return (\r), line feed (\n) and horizontal tab (\t) after authentication, resulting in a null character that the function chtlb_lookup is not able to handle. One can reproduce it authenticating and sending a carriage return, line feed or horizontal tab (or any combination of these) or any 1024 multiple block of bytes followed by these characters. With this it's possible to kill the server causing a total denial of service. [ WORKAROUND ] Add "key != NULL" condition in the chtbl_lookup function of the hash.c file until vendor solution or upgrade to 8.1. [ ACKNOWLEDGMENTS ] These vulnerabilities have been found and researched by: - Jose Miguel Esparza S21Sec With thanks to: - David Barroso S21Sec [ REFERENCES ] * WzdFTPD http://www.wzdftpd.net/ * S21Sec http://www.s21sec.com * Malybuzz http://malybuzz.sourceforge.net