COMMAND

    Source Port Vulnerability

SYSTEMS AFFECTED

    Most firewalls that let port 20 through unchecked

PROBLEM

    Source porting is when an attacker specifies the source port  that
    the  connection  will  originate  from  (his  machine) or when the
    source port is  spoofed.  For  example, ftp usually  uses 2 ports;
    port  21  and  port  20.   Port  21  is  the  port connected to to
    initiate a  connection.   When someone  BEHIND the  firewall ftp's
    out to another machine and they  begin a download, port 20 on  the
    remote host is  opened on the  remote machine and  a connection is
    made to the  machine behind the  firewall.  In  order for this  to
    work, a firewall  must allow connections  to be made  FROM port 20
    on  an  outside  machine  TO  a  port  >1024 on an inside machine.
    This, as well as any other  ports handled in this way, opens  up a
    large hole.  An attacker can initiate connections FROM port 20  on
    his machine  to a  port >1024  on a  machine behind  the firewall,
    completely bypassing many of the  proxy and filtering rules.   The
    attacker can use  this to scan  the internal machines,  or use his
    creativity  to  get  certain  services  past  the  firewall.  This
    applies to all ports handled in a similar manner.

SOLUTION

    Force the use of  PASV ftp on the  proxy server.  This  makes sure
    that port 20  can be blocked  since another port  will be used  on
    the remote machines.

    (NOTE: What about port 21?   Port 21 is normally filtered  through
    the packet filtering rules on a firewall.  Port 20, however, is  a
    slightly different  story, and  subject to  different rules simply
    because  of  the  way  that   it  behaves,  with  the   connection
    originating from the remote, outside machine).