Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal TESTED ON Broker FTP Server 5.9.5.0 on Windows 98, likely to work on NT / 2k DESCRIPTION 1) Buffer Overflow / DoS The DoS, which completely freezes the victim machine, can be triggered by repeatedly sending the following command (after logging in) : CWD . . (CD ". ." with an FTP client) or even better by adding some more spaces between the dots : CWD . . the server seems to regard these dirs as valid and appends them to the current path, causing a DoS after a certain bound has been reached... (I think you have to repeat the last one about 30 times or so...) I have attached the script brokerdos.pl which automates this. Maybe I'm getting delusional, but I have been able once to make Broker FTP Server crash this way setting the EIP to something like " .\" (and my SoftIce popped up) so this buffer overflow might be exploitable... I have not been able to reproduce this situation afterwards though. Also, the file at C:\Program Files\TransSoft Ltd\Broker 5\Data\Errors.log gave me access violations at offsets that were definitely taken from the input string. (like 20202020, 2020202E etc...) 2) Directory Traversal You can map out the contents of every drive available to the system in the following manner... (You don't seem to be able to upload / download files though) To go out of the home directory type the following in your FTP client : CD C: or CD C:\ (you can also go to the A: drive with CD A: (or CD-roms & network drives)) Now you can list out the contents of the drive with the FTP client : LS And dive into subdirs with something like : CD C:\WINDOWS\ etc... Although you can map every drive, you don't seem to be able to send/recieve files. It is also possible to traverse the homedirectory using UNC pathnames (starting with \\) which might be used to remotely access local shares. VENDOR STATUS I have sent this advisory to <supportat_private> You can get the updated advisory at http://elf.box.sk/byterage/adv7.htm ====================================================== [ByteRage] <byterageat_private> [www.byterage.cjb.net] ====================================================== __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 13:20:51 PDT