Vigil@nce: Filezilla, file truncating
August 2008 by Vigil@nce
SYNTHESIS
An attacker can force the connection to break. The victim will not
receive the entire file, this without an error message from
FileZilla.
Gravity: 3/4
Consequences: data deletion, denial of service of client
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 01/08/2008
Identifier: VIGILANCE-VUL-7986
IMPACTED PRODUCTS
– Fedora [confidential versions]
– Microsoft Windows - plateform
– Unix - plateform
DESCRIPTION
FileZilla FTP client offers secure SSL/TLS connection.
When file transfer is finished, FTP server realises a TLS
shutdown. FileZilla does not check if the server perform an
orderly TLS shutdown.
An attacker can send a FIN packet to FileZilla client, in order to
cut data transfer. The victim will not realize that the received
file is not entire, because he will not receive warning from
FileZilla.
An attacker can therefore force the data transfer to break.
CHARACTERISTICS
Identifiers: 457274, FEDORA-2008-6812, FEDORA-2008-6865,
VIGILANCE-VUL-7986