Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

SurgeFTP LEAK Command Denial-Of-Service Vulnerability

by Tan Chew Keong
Release Date: 7 Apr 2005

Summary

SurgeFTP is an FTP server with SSL/TLS security, easy management and cross platform support. It is available for Windows, Solaris and Linux. A denial-of-service vulnerability was found in SurgeFTP, which may be exploited to crash the server or to prevent it from correctly serving files.

 
Tested System

SurgeFTP Version 2.2m1 and 2.2k3 Windows on English Win2K SP4, WinXP SP2.

 
Details

SurgeFTP is an FTP server with SSL/TLS security, easy management and cross platform support. It is available for Windows, Solaris and Linux. A denial-of-service vulnerability was found in SurgeFTP, which may be exploited to crash the server or to prevent it from correctly serving files.

SurgeFTP responds to a non-standard FTP command, LEAK. It is postulated that this command may have been intended to be used to test the server's response to file handle leakages. Upon receiving the LEAK command, SurgeFTP will call the cmd_leak() function. cmd_leak() will in turn call the mgr_cmd_openmore() function. mgr_cmd_openmore() will open the file "a.a_write" 925 times, thus potentially causing the process to run out of file handles. This is shown in the assembly code below. 

00431A58 MOV DWORD PTR SS:[EBP-8],0
00431A5F JMP SHORT SurgeFTP.00431A6A
00431A61 MOV EAX,DWORD PTR SS:[EBP-8]
00431A64 ADD EAX,1
00431A67 MOV DWORD PTR SS:[EBP-8],EAX
00431A6A CMP DWORD PTR SS:[EBP-8],39D
00431A71 JGE SHORT SurgeFTP.00431A94
00431A73 PUSH 503                          
00431A78 PUSH SurgeFTP.00552284            
00431A7D PUSH SurgeFTP.005522AC            
00431A82 PUSH SurgeFTP.005522B0           ; ASCII "a.a_write" 
00431A87 CALL SurgeFTP._dfopen
00431A8C ADD ESP,10
00431A8F MOV DWORD PTR SS:[EBP-4],EAX
00431A92 JMP SHORT SurgeFTP.00431A61
00431A94 MOV EAX,1

Subsequently, the main thread will call the detect_imobilizing_bug() function. This function will try to open 9 test files. i.e. testfile.0, testfile.1, ..., testfile.9. If the LEAK command has been issued before, this function will be unable to open any of the 9 test files. This causes the following code branch to be taken. The code highlighted in red will be executed thus causing a write exception. 

00412849 CALL SurgeFTP.__errno
0041284E MOV EDX,DWORD PTR DS:[EAX]
00412850 PUSH EDX                          
00412851 CALL SurgeFTP._strerror           
00412856 ADD ESP,4
00412859 PUSH EAX                          
0041285A PUSH SurgeFTP.0051BB58           ; ASCII "warning file handles almost exceeded - time to restart. %s %d" 
0041285F CALL SurgeFTP._emsg               
00412864 ADD ESP,0C
00412867 CALL SurgeFTP._hcount_report
0041286C CALL SurgeFTP._dfopen_exit
00412871 MOV DWORD PTR DS:0, 0

This LEAK command can be sent prior to authentication. i.e. it can be sent immediately after connecting to the FTP server. On a Win2K system, this will cause SurgeFTP to stop receiving any connections until the service is automatically restarted by the SC Manager. On a WinXP system, SurgeFTP will continue to accept FTP connections, but will be unable to send or receive any files. Logging of FTP commands to cmds.log will also fail until the server is automatically restarted.

 
Patch

  1. Upgrade to version 2.2m2.

 
Disclosure Timeline

03 Apr 05 - Vulnerability Discovered.
05 Apr 05 - Initial Vendor Notification.
06 Apr 05 - Vendor Released Fixed Version.
07 Apr 05 - Public Release.

 
Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 07/04/2005
webmaster@security.org.sg