« previous 1 2 3 4 next »

FTPStress Fuzzer

FTP clients can control FTP servers using a number of controls. The majority of commands require parameters that are read and evaluated by the server. FTP servers often fail where, for example, the parameter value is larger than the reserved buffer. Special characters can also knock a server out of kilter. The free Windows tool - FTPStress Fuzzer from Infigo, tests all FTP commands with various parameters [2]. The user can determine which commands the FTP fuzzer should send to the server and the range within which the parameters should be varied. A parameter can, for instance, contain 200,000 repeats of the letter A, or 9,000 repeats of a given character string. The tool provides a pre-defined list of possible character strings, which it runs through for each command. The user can also enter a single character string for each command.

The FTPStress Fuzzer tries to provoke an error in the ftp server. Here it succeeded and the server crashed.

Once configuration is complete, just click on the start button to launch the fuzzer. FTPStress Fuzzer displays a list of commands sent and the server's reactions to these commands in a log window. In a test of the FTP server ProFTP, after just a short time it was no longer possible to connect to the server. The FTP server had signed off with a crash. Infigo looked for bugs in other FTP servers in a similar manner - and didn't look in vain. In G6 FTP Server, ArGoSoft FTP Server, FileZilla, WarFTPd and Golden FTP, the bugs could even be exploited for infiltrating code [3].

FTPStress Fuzzer is easy to use and gives developers the opportunity to carry out a rough and ready test of the way their programs process user parameters. The downside is that the tool enables amateur scripters to shoot down vulnerable servers in no time at all.

« previous 1 2 3 4 next »