zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service
zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service Vulnerability
1. OVERVIEW
The zFTP server is found to be vulnerable to denial of service in
handling multiple STAT and CWD command requests.
2. BACKGROUND
The zFTP server is a Windows based FTP server with focus on clever
Active Directory integration and powerful, effortless administration.
3. VERSIONS AFFECTED
2011-04-13 and earlier
4. PROOF-OF-CONCEPT/EXPLOIT
http://www.exploit-db.com/exploits/18028/
5. SOLUTION
The vendor has released the patched version
(http://download.zftpserver.com/zFTPServer_Suite_Setup.exe)
6. VENDOR
Vastgota-Data
7. CREDIT
This vulnerability was discovered by Myo Soe, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
8. DISCLOSURE TIME-LINE
2011-06-19: notified vendor through email
2011-10-17: vendor released fixed version, 2011-10-17
2011-10-25: vulnerability disclosed
9. REFERENCES
Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/%5Bzftpserver_2011-04-13%5D_stat,cwd_dos
zFTP Server Home Page: http://zftpserver.com
#yehg [2011-10-25]