Source: cve@mitre.org
TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (CPU consumption) via "//../" arguments to (1) mkd, (2) xmkd, (3) dele, (4) size, (5) retr, (6) stor, (7) appe, (8) rnfr, (9) rnto, (10) rmd, or (11) xrmd, as demonstrated using "//../qwerty".
TYPSoft FTP Server 1.10 is vulnerable to a denial-of-service (DoS) attack. Authenticated attackers can exhaust server resources, leading to a service outage, by sending specially crafted commands containing the //../ sequence. This vulnerability allows for excessive CPU consumption, effectively rendering the FTP server unavailable.
Step 1: Authentication: The attacker must first successfully authenticate to the TYPSoft FTP Server 1.10 using valid credentials.
Step 2: Command Injection: The attacker crafts an FTP command containing the //../ sequence, such as MKD //../qwerty or STOR //../qwerty. The specific command used depends on the desired impact and the attacker's goals.
Step 3: Server Processing: The server receives the malicious command and attempts to process it. Due to the lack of proper input validation, the //../ sequence is not correctly handled.
Step 4: Resource Exhaustion: The server, while attempting to resolve the path, enters a loop or performs an excessive number of operations, leading to high CPU usage.
Step 5: Denial of Service: The excessive CPU consumption renders the FTP server unresponsive to legitimate client requests, effectively causing a denial of service.
The vulnerability stems from insufficient input validation in TYPSoft FTP Server 1.10 when handling pathnames provided in various FTP commands. Specifically, the server fails to properly sanitize or normalize the input before processing it. The //../ sequence is used to traverse the directory structure, and when combined with commands like mkd, dele, stor, etc., it can lead to an infinite loop or excessive resource allocation. The server likely attempts to resolve the provided path, but due to the lack of proper input validation, it gets stuck in a loop or performs an excessive number of operations, consuming CPU cycles and leading to a DoS condition. The root cause is a path traversal vulnerability combined with a lack of resource limits or input validation on the server-side processing of FTP commands. This allows an attacker to craft malicious requests that consume excessive CPU resources.
Due to the age of the vulnerability, it's unlikely to be directly associated with specific APT groups. However, any attacker with basic knowledge of FTP and vulnerability exploitation could leverage this. CISA KEV status: Not listed.
Monitor FTP server logs for suspicious activity, such as repeated attempts to create or delete files with unusual names or paths containing //../.
Analyze network traffic for unusual FTP command sequences, specifically those containing the //../ string in the arguments of commands like MKD, DELE, STOR, etc.
Monitor CPU usage of the FTP server process. A sudden and sustained spike in CPU usage could indicate an active attack.
Implement intrusion detection systems (IDS) with rules specifically designed to detect the malicious FTP commands.
Review FTP server configuration files for any unusual settings or configurations that might indicate a compromised system.
Upgrade to a patched version of TYPSoft FTP Server or a different FTP server software. Since the software is old, this is the recommended solution.
Implement input validation to sanitize and normalize all user-supplied input, especially pathnames, to prevent path traversal attacks. This includes checking for and removing or encoding sequences like //../.
Implement resource limits to restrict the amount of CPU and memory that the FTP server can consume. This can help mitigate the impact of a DoS attack.
Regularly audit the FTP server configuration and security settings.
Implement a Web Application Firewall (WAF) or a similar security solution to filter malicious requests.
Consider using a more modern and actively maintained FTP server software.