1. OVERVIEW
The zFTP server is found to be vulnerable to denial of service in handling STAT and CWD commands with overly large buffer requests.
2. BACKGROUND
The zFTP server is a Windows based FTP server with focus on clever Active Directory integration and powerful, effortless administration.
3. VERSIONS AFFECTED
2011-04-13 and earlier
4. PROOF-OF-CONCEPT/EXPLOIT
http://www.exploit-db.com/exploits/18028/
5. SOLUTION
The vendor has released the patched version (http://download.zftpserver.com/zFTPServer_Suite_Setup.exe)
6. VENDOR
Vastgota-Data
7. CREDIT
This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
8. DISCLOSURE TIME-LINE
2011-06-19: notified vendor through email
2011-10-17: vendor released fixed version, 2011-10-17
2011-10-25: vulnerability disclosed
9. REFERENCES
Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/[zftpserver_2011-04-13]_stat,cwd_dos
zFTP Server Home Page: http://zftpserver.com
#yehg [2011-10-25]
No comments:
Post a Comment