Pablo Software Solutions' FTP Server is a multi-threaded FTP server for Windows 98, NT 4.0, 2000 and XP. A vulnerability in the product allows remote attackers to cause the program to crash.
Vulnerable systems:
* Pablo FTP Server versions 1.3 and 1.5 and prior versions
Because of its incorrect handling of format string markers in user-provided input, the FTP Server can be remotely crashed if it attempts to process such malformed input; code execution is also a possibility. The denial of service condition is exploited by attempting to login to the target FTP server as '%n'.
Analysis:
Successful exploitation should crash the FTP server. What is most damaging about this is that the files and resources readily made available by the server's proper functionality are inaccessible for the duration that the server is attacked. While no exploit currently exists, it is possible to execute arbitrary code.
Detection:
Pablo FTP Server 1.3 and 1.5, running on Windows 2000; version 1.2 is reportedly vulnerable as well. Connecting to an arbitrary Pablo FTP Server and providing a username of "%x%x%x%x" can determine susceptibility. The server is vulnerable if an entry such as the following is found in the produced log files:
[1064] 530 Please login with USER and PASS
[1064] USER f7db018409be31
[1064] 331 Password required for 247db018409be32
The username values that show up in the log files are pulled from memory (the stack) and should differ from system to system.
Workaround:
Use a filtering proxy server to help mitigate the attack by blocking requests that contain format string markers.
