COMMAND
ftp bounce attack
SYSTEMS AFFECTED
Most systems
PROBLEM
Following text is based on CERT Advisory CA-97.27 - FTP_bounce.
In the past few years there have been ongoing discussions about a
problem known as "FTP bounce." In its simplest terms, the problem
is based on the misuse of the PORT command in the FTP protocol. To
understand the FTP bounce attack, please see the tech tip at:
ftp://ftp.cert.org/pub/tech_tips/FTP_PORT_attacks
The core component of the problem is that by using the PORT
command in active FTP mode, an attacker may be able to establish
connections to arbitrary ports on machines other than the
originating client. This behavior is RFC compliant, but it is
also potentially a source of security problems for some sites. The
example attacks described in the tech tip demonstrate the
potential of this vulnerability.
Some attacks rely on an intermediate file being uploaded to one or
more server machines via (usually anonymous) FTP. This file is
used in a later phase of the attack.
An attacker may be able to establish a connection between the FTP
server machine and an arbitrary port on another system. This
connection may be used to bypass access controls that would
otherwise apply.
Links that cover this thread and may help reader are following:
http://www.secnet.com/papers/ftp-paper.html
http://www.rootshell.com/hacking/ftpBounceAttack
ftp://ftp.avian.org/random/ftp-attack
SOLUTION
Because the core element of the attack (the FTP server can
establish connections to arbitrary machines and arbitrary ports)
is also a required component for RFC compliance, there is no
clear-cut solution. Consequently, many vendors offer solutions
that allow sites offering the FTP service to make the choice that
best suits them.
Cray Research - A Silicon Graphics Company
------------------------------------------
The ftpd supplied with Unicos and Unicos/mk is vulnerable to it
they are working on better solution.
Digital Unix
------------
DIGITAL UNIX ftpd V3.2g, V4.0, V4.0a, V4.0b, V4.0c are vulnerable.
Digital strongly recommends upgrading to a minimum of Digital UNIX
V4.0b accordingly, and that the appropriate patch kit be installed
immediately. This potential security problem has been resolved
and an official patch for this problem has been made available as
an early release kit for DIGITAL UNIX V4.0a
(duv40ass0000600041100-19980317.*) and, included in the latest
DIGITAL UNIX V4.0b aggregate DUPATCH Kit.
The V3.2g aggregate BL 10 patch kit #5
is scheduled for release in late June 1998.
The V4.0 aggregate BL 9 patch kit #6
is scheduled for release mid May 1998.
The V4.0c aggregate BL10 patch kit #6
is scheduled for release mid May 1998.
This potential problem was included in the distributed release of
DIGITAL UNIX V4.0d. Go to:
http://www.service.digital.com/html/patch_service.html
and then choose the appropriate version directory and download the
patch accordingly. The appropriate patch kit must be installed
following any upgrade to V4.0a, V4.0b, or V4.0c.
The FreeBSD Project
-------------------
FreeBSD 2.2.0 and all later releases do not allow the FTP bounce
attack (unless explicitly allowed by the -R option). FreeBSD 2.1.7
and earlier releases can be abused by the bounce attack.
Hewlett-Packard Company
-----------------------
This problem is addressed HP Security Bulletin 028. This bulletin
can be found at one of these URLs:
http://us-support.external.hp.com
http://europe-support.external.hp.com
Security Bulletin 028: Security Vulnerability in FTP:
Current Original
-------------------- --------------------
s300 8.00: None s300 8.00: None
s300 9.00: PHNE_6146 s300 9.00: PHNE_6146
s300 9.03: PHNE_6146 s300 9.03: PHNE_6146
s300 9.10: PHNE_6146 s300 9.10: PHNE_6146
s700 9.01: PHNE_10008 s700 9.01: PHNE_6013
s700 9.03: PHNE_10008 s700 9.03: PHNE_6013
s700 9.05: PHNE_10008 s700 9.05: PHNE_6013
s700 9.07: PHNE_10008 s700 9.07: PHNE_6013
s700 9.09: PHNE_6169 s700 9.09: PHNE_6169
PHNE_6170 PHNE_6170
s700 10.00: PHNE_10009 s700 10.00: PHNE_6014
s700 10.01: PHNE_10009 s700 10.01: PHNE_6014
s700 10.09: PHNE_5965 s700 10.09: PHNE_5965
s700 10.10: PHNE_10009 s700 10.10: None
s800 9.00: PHNE_10008 s800 9.00: PHNE_6013
s800 9.04: PHNE_10008 s800 9.04: PHNE_6013
s800 9.08: PHNE_6171 s800 9.08: PHNE_6171
s800 10.00: PHNE_10009 s800 10.00: PHNE_6014
s800 10.01: PHNE_10009 s800 10.01: PHNE_6014
s800 10.10: PHNE_10009 s800 10.10: None
IBM Corporation
---------------
All AIX ftp servers are vulnerable to the FTP bounce attack. The
following fixes are in progress:
AIX 3.2: upgrade to v4
AIX 4.1: IX73075
AIX 4.2: IX73076
AIX 4.3: IX73077
MadGoat
-------
This problem is fixed in MGFTP V2.2-2. That version restricts
the port numbers to ports above 1024. However, it does not block
access to third-party machines. V2.2-4 will do that as well.
Microsoft Corporation
---------------------
MS prevents this attack by disallowing "third party" transfers.
This is done via a modification to MS implementation of the PORT
command. When the FTP server receives a PORT command, the
specified IP address *must* match the client's source IP address
for the control channel. MS has one other fix in which we
disallow the PORT command from specifying reserved ports (those
less than 1024) except port 20 (the default data port). By
default, any client attempt to issue a port command with (port <
1024 && port != 20) will cause the PORT command to fail. This
check can be disabled setting the EnablePortAttack registry value.
NCR Corporation
---------------
Apply one of the following patches depending on the revision of
the inet package installed on your system. To check its version
execute:
pkginfo -x inet
For inet 5.01.xx.xx: - PINET501 (Version later than 05.01.01.62)
For inet 6.01.xx..xx: - PINET601 (Version later than 06.01.00.22)
For inet 6.02.xx.xx: - PINET602 (Version later than 06.02.00.03)
A new ftpd man-page describe how to enable the old RFC compliant
behavior.
The NetBSD Project
------------------
There are no patches for NetBSD 1.2.1 or prior, however the ftpd
sources available from:
ftp.netbsd.org:/pub/NetBSD/NetBSD-current/src/libexec/ftpd
should work on a NetBSD 1.2.1 machine.
The OpenBSD project
-------------------
FTP bounce can be fixed in the operating system by fixing all
vulnerable services by checking for connections from port 20.
Since this has been done in OpenBSD, OpenBSD is not vulnerable
and does NOT NEED the variable port command. The solution applies
since OpenBSD 2.1 (ie. it applies for both 2.1 and for 2.2).
Red Hat Software
----------------
We ship wu-ftpd, so this isn't a problem for RH.
The Santa Cruz Operation, Inc.
------------------------------
SCO has determined that the following Operating systems are
vulnerable to the ftp-bounce attack:
OpenServer 5.0.4
UnixWare 2.1
ODT 3.0
CMW+
SCO is currently working on a fix to this problem.
Siemens-Nixdorf Informationssysteme AG
--------------------------------------
ReliantUNIX is vulnerable. The problem has been corrected in the
current sources. Patches will be developed (as necessary) and
made available via your Siemens-Nixdorf customers service.
Sun Microsystems, Inc.
----------------------
Sun's FTP server software in SunOS 4.1.x and 5.x allow PORT
requests to make data connections to arbitrary hosts. Prior to
SunOS 2.6, Sun's FTP server software also allows data connections
to arbitrary ports. In SunOS 2.6, the FTP server software does
not accept PORT requests to make data connections to well-known
(privileged) ports. Sun has also released the following patches
that prevent Sun's FTP server software from accepting PORT
requests to make data connections to well-known ports for the
following SunOS releases:
103603-05 SunOS 5.5.1
103604-05 SunOS 5.5.1_x86
103577-06 SunOS 5.5
103578-06 SunOS 5.5_x86
101945-51 SunOS 5.4
101946-45 SunOS 5.4_x86
104938-01 SunOS 5.3
104477-03 SunOS 4.1.4
104454-03 SunOS 4.1.3_U1
wu-ftpd
-------
The wu-ftpd package addresses the FTP bounce problem by ensuring
that the PORT command cannot be used to establish connections to
machines other than the originating client. Please read the
wu-ftpd README file "FIXES-2.4-HOBBIT" before installing the
package. The latest version of wu-ftpd, which we recommend, is
available from:
ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-15.tar.Z
Your site should offer anonymous upload facilities only if it is
absolutely necessary. Even then, you must carefully configure the
incoming area. For further details, see "Anonymous FTP
Configuration Guidelines" at:
ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config
Note that these steps only repel attacks that rely on intermediate
uploads. The steps are not effective against other attacks. If
your site allows file uploads, you're urged to ensure that the FTP
service restricts the PORT command so that it can only be used to
connect to the originating client.