Re: INFIGO-2006-05-03: Multiple FTP Servers vulnerabilities

[Andrea Rimicci <arimicci@xxxxxxxxxxx>]

<snip>
>-[ FileZilla vulnerabilities
>
>A few vulnerabilities in FileZilla weren't investigated beyond the crash. 

>At
>the moment there is no further information whether those vulnerabilities
>are
>exploitable.
>The first vulnerability is triggered by sending a long PORT or PASS 
command
>(30
>bytes) and MLSD command after it. This causes FileZilla to crash (DoS).
>The second vulnerability found in the FileZilla Server interface also 
leads
>to
>the DoS conditions.
>
<snip>

I tried reproduce given exploit, but no DoS here.
Here is log of a session done against FileZilla server:

(000007) 2006-05-09 09:34:23 - (not logged in) (192.168.200.22)> USER test
(000007) 2006-05-09 09:34:23 - (not logged in) (192.168.200.22)> 331 
Password required for test
(000007) 2006-05-09 09:34:25 - (not logged in) (192.168.200.22)> PASS ****
(000007) 2006-05-09 09:34:25 - test (192.168.200.22)> 230 Logged on
(000007) 2006-05-09 09:34:45 - test (192.168.200.22)> PORT 
123456789012345678901234567890
(000007) 2006-05-09 09:34:45 - test (192.168.200.22)> 501 Syntax error
(000007) 2006-05-09 09:34:49 - test (192.168.200.22)> MLSD
(000007) 2006-05-09 09:34:49 - test (192.168.200.22)> 503 Bad sequence of 
commands.
(000007) 2006-05-09 09:35:05 - test (192.168.200.22)> USER test
(000007) 2006-05-09 09:35:05 - (not logged in) (192.168.200.22)> 331 
Password required for test
(000007) 2006-05-09 09:35:11 - (not logged in) (192.168.200.22)> PASS 
******************************
(000007) 2006-05-09 09:35:11 - (not logged in) (192.168.200.22)> 530 Login 
or password incorrect!
(000007) 2006-05-09 09:35:15 - (not logged in) (192.168.200.22)> MLSD
(000007) 2006-05-09 09:35:15 - (not logged in) (192.168.200.22)> 530 Please 
log in with USER and PASS first.

Please show log of exploit, to be able reproduce ur results.

Please note 2.2.22 is version of FileZila client.
Latest FileZilla server version is 0_9_16c