Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Broker FTP Server 5.9.5.0 Vulnerability

Broker FTP Server 5.9.5.0 Vulnerability

by phiber on June 10th, 2001 This article describes two vulnerabilities on Broket FTP Server 5.9.5.0. Denial of Service (Buffer overflow), Directory Traversal. "Read More" for more info.


1) Buffer Overflow / DoS



The DoS, which completely freezes the victim machine,
can be triggered by repeatedly sending
the following command (after logging in) :



CWD . .

(CD ". ." with an FTP client)



or even better by adding some more spaces between the
dots :

CWD .

.



the server seems to regard these dirs as valid and
appends them to the current path, causing a DoS after
a certain bound has been reached... (I think you have
to repeat the last one about 30 times or so...)



I have attached the script brokerdos.pl which
automates this.



Maybe I'm getting delusional, but I have been able
once to make Broker FTP Server crash this way setting
the EIP to something like " ." (and my SoftIce
popped up) so this buffer overflow might be
exploitable... I have not been able to reproduce this
situation afterwards though.



Also, the file at C:Program FilesTransSoft
LtdBroker 5DataErrors.log gave me access violations
at offsets that were definitely taken from the input
string. (like 20202020, 2020202E etc...)



2) Directory Traversal



You can map out the contents of every drive available
to the system in the following manner...

(You don't seem to be able to upload / download files
though)



To go out of the home directory type the following in
your FTP client :



CD C: or CD C:



(you can also go to the A: drive with CD A: (or
CD-roms & network drives))

Now you can list out the contents of the drive with
the FTP client :



LS



And dive into subdirs with something like :



CD C:WINDOWS



etc...

Although you can map every drive, you don't seem to be
able to send/recieve files. It is also possible to
traverse the homedirectory using UNC pathnames
(starting with ) which might be used to remotely
access local shares.


by ByteRage ([email protected]) [www.byterage.cjb.net] on a bugtraq mailing list.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »