Friday, January 14, 2011

Blackmoon FTP 3.1 Denial of Service Exploit

I found an exploit and had it published to exploit-db. It is a denial of service for the Blackmoon FTP 3.1 Server (Builds 1735 and 1736). The PORT command is not properly sanitized and sending a buffer of 600 bytes crashes the application.

When the Blackmoon FTP Server is installed it sets the Blackmoon FTP Service to automatically restart the service in the event of a failure. This was a little confusing because I could see the application crash, but the FTP service would still respond to my requests. Turning the service recovery feature off enabled me to find the DOS. Because EIP or SEH is not overwritten it's not likely to be anything other than a nuisance.

I contacted the vendor and they fixed the issue within a few weeks. Build 1737 is the latest build that incorporates their fix.

No comments: