COMMAND
ws_ftp
SYSTEMS AFFECTED
ws_ftp pro 6.51
PROBLEM
Crawling KingSnake found following. ws_ftp pro 6.51 exposes
internal IP addresses when connecting using PASV mode and the
target site is using ipfilter. This was tested on a network using
OpenBSD 2.7 as the firewall/gateway with several internally
addressed machines running different server applications. Here
is a log:
230 User xxxxx logged in.
PWD
257 "/" is current directory.
Host type (I): Microsoft NT
PORT 209,74,14,36,6,60
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
! Accept error: Blocking call cancelled
! Retrieve of folder listing failed (0)
QUIT
425 Can't open data connection.
- -
connecting to 216.37.xx.xx:2100
Connected to 216.37.xx.xx port 2100
220 saranac Microsoft FTP Service (Version 5.0).
USER xxx
331 Password required for xxxx.
PASS (hidden)
230-========================================
<snip>
230-
230-
230 User xxxx logged in.
PWD
257 "/" is current directory.
Host type (I): Microsoft NT
PASV
227 Entering Passive Mode (192,168,1,5,6,184).
connecting to 192.168.1.5:1720
- -
connecting to 192.168.1.5:1720
! Connection failed 192.168.1.5 - host unreachable
! connect: error 0
PORT 209,74,14,36,6,63
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
! Timer cancelled blocking call
! Accept error: Blocking call cancelled
! Retrieve of folder listing failed (0)
QUIT
425 Can't open data connection.
CK has cleansed the log to protect the network. But as you can
see the first attempt fails and somehow the internal address is
exposed to ws_ftp and then to the user. The second login attempt
happens automatically, immediately after the first login failure.
A malicious person could use this information to specifically
target the internal machines if/when a breach of the gateway box
occurs.
SOLUTION
Vendor was notified but no response.