Recent Security Bug Advisory

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
skip
Posts: 2
Joined: Thu Jan 19, 2006 3:53 pm

Recent Security Bug Advisory

Post by skip » Thu Jan 19, 2006 3:56 pm

Hi,
Can we get a comment on the recent Security Advisory announced by KAPDA regarding Cerberus FTP 2.32

I find their Advisory alarming, and if they have misrepresented you guys it would be good to know.

http://www.kapda.ir/advisory-210.html

Cheers
Skip Parker

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Post by mdj » Fri Jan 20, 2006 3:39 am

Well, I am not an experienced reader of such advisories, but a few things do seem odd.

1: The advisory does not explain, what actually happens. It just shows a program, throwing 50000 messages at the server, and that is it. What happens next? Will Cerberus crash? Will Windows BSOD? Will Cerberus stop responding for a period of time? What??

2: "Vendor couldn't care less, so no patch exists." Well, what a very professional attitude and way with words, there, don't you think? I think it would be interesting to know, if Serin received any information from them first, giving him a chance to investigate and issue a fix, before the exploit was published. I believe that is the correct way to do it - especially, if you are going to write "couldn't care less" afterwards! In my experience, Serin definitely listens to error reports - why would he make this forum, if not - so claiming that he couldn't care less sounds odd to me. The advisory claims that the vendor was contacted on August 21, so perhaps a fix is available in 2.4B1? Some DDOS bug IS fixed in 2.4B1, is that the one, Serin...? So much for "couldn't care less"... A Patch DOES exist, and has been available since November.

3: Take a look at some of the credits: "pi3ch" and "Grtz to all members of...". Why send greetings at all in a security advisory? This is just the kind of lingo used be hackers and the like. I find it very difficult to take such people seriously...

Finally, who are Kapda? An iranian security company? Quite new in the business, it seems. Well, it should not be held against them, that they are newcomers, everybody has to start somewhere, but I feel this "advisory" leaves a little behind if Kapda wants to be accepted in the business.

I for one am NOT worried. In fact, if Kapda reads this, I challenge them - or anybody - to attack me! Try to take my Cerberus server down, it can be found at ftp://ftp.mdjnet.dk , and the program to do it is right there in the advisory. Go ahead, it'll be fun! I am interested in knowing what will actually happen. I will post followups here when relevant.
Last edited by mdj on Sun Jan 22, 2006 12:25 pm, edited 1 time in total.
Morten Due Jørgensen
http://www.mdjnet.dk

skip
Posts: 2
Joined: Thu Jan 19, 2006 3:53 pm

Post by skip » Sat Jan 21, 2006 2:38 am

Thanks MDJ..

I understand what your saying, however without 'official' word from the team who put Cerberus together we will not know if the accepted procedures for disclosure have been follwed.

I am concerned that they have published source code for their exploit and am also very concerned that they appear to be nothing more than a group of hackers (as you pointed out in their 'grtz to all.." tag line.

At the end of the day without any decent response from a vendor to these sorts of posts (by the way this came thru the Bugtraq Lists) then the clients will vote with their feet (regardless of the validity)

cheers

Tornado
Senior User
Posts: 234
Joined: Tue Jun 08, 2004 9:39 am
Location: Australia

Post by Tornado » Sat Jan 21, 2006 9:42 pm

I'd be interested to hear results on this one.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Thu Jan 26, 2006 10:23 pm

Hello everyone,

Actually, I just heard about the advisory the other day. I have not been contacted recently by the group, and I am a little disturbed they would release a possible exploit without informing me that they were going to do that.

Interestingly, I was contacted by an individual quite a few months ago regarding a similiar exploit (August, I believe). It was a legitimate exploit and I fixed it and released it in 2.4 BETA (the release notes mention the fix, and Secunia made a post about it). I have not heard from the author since he originally informed me about the vulnerability. I did not know he (assuming he is affiliated with this group) was going to post the exploit.

Of course, I should have put out a release version to address the issue. I released it as BETA because the exploit required a major rewrite of several parts of the Cerberus FTP Server code base. I haven't had a real security vulnerability reported in Cerberus for several years. I think I may have gotten a little lazy because of it and I don't think I handled this one very well.

I am currently testing the expoit to see if it is legitimate and to make sure 2.4 BETA addresses it. I will be releasing a 2.4 Release soon to make it official.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Thu Jan 26, 2006 10:28 pm

The "vendor couldn't care less" comment is rather childish and quite untrue. I have not received any emails from ANYONE informing me about a security vulnerability in the last couple of months. Exception to that noted in my previous post.

Post Reply