Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal

[ByteRage <byterage () yahoo com>]

Broker FTP Server 5.9.5.0 Buffer Overflow / DoS /
Directory Traversal

TESTED ON

Broker FTP Server 5.9.5.0 on Windows 98, likely to
work on NT / 2k 

DESCRIPTION

1) Buffer Overflow / DoS

The DoS, which completely freezes the victim machine,
can be triggered by repeatedly sending
the following command (after logging in) :

CWD . .
(CD ". ." with an FTP client)

or even better by adding some more spaces between the
dots :
CWD .                                                
.

the server seems to regard these dirs as valid and
appends them to the current path, causing a DoS after
a certain bound has been reached... (I think you have
to repeat the last one about 30 times or so...)

I have attached the script brokerdos.pl which
automates this.

Maybe I'm getting delusional, but I have been able
once to make Broker FTP Server crash this way setting
the EIP to something like "  .\" (and my SoftIce
popped up) so this buffer overflow might be
exploitable... I have not been able to reproduce this
situation afterwards though.

Also, the file at C:\Program Files\TransSoft
Ltd\Broker 5\Data\Errors.log gave me access violations
at offsets that were definitely taken from the input
string. (like 20202020, 2020202E etc...)

2) Directory Traversal

You can map out the contents of every drive available
to the system in the following manner...
(You don't seem to be able to upload / download files
though)

To go out of the home directory type the following in
your FTP client :

CD C: or CD C:\

(you can also go to the A: drive with CD A: (or
CD-roms & network drives))
Now you can list out the contents of the drive with
the FTP client :

LS 

And dive into subdirs with something like :

CD C:\WINDOWS\

etc...
Although you can map every drive, you don't seem to be
able to send/recieve files. It is also possible to
traverse the homedirectory using UNC pathnames
(starting with \\) which might be used to remotely
access local shares.

VENDOR STATUS

I have sent this advisory to <support () transsoft com>

You can get the updated advisory at
http://elf.box.sk/byterage/adv7.htm

======================================================
[ByteRage] <byterage () yahoo com> [www.byterage.cjb.net]
======================================================

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

Attachment: brokerdos.pl
Description: brokerdos.pl