Tutorial - FTP Bounce Vulnerability Found

FTP Bounce Vulnerability Found

CVE 1999-0017

Impact

A malicious user may be able to create a connection between the FTP server and any other system on an arbitrary port. The connection could be used to bypass access control restrictions and allow an attacker to scan ports on private networks.

Background

An FTP session consists of two connections between the client and the server. The control connection is initiated by the client and allows the client to send commands to the server. When the client wants to transfer data to or from the server, it issues a PORT command. The PORT command instructs the server to open a data connection which is used to transfer the data.

The PORT command is normally used only to open connections between the server and the client. However, the FTP protocol specifies that the PORT command may be used to open connections between the server and any other host. Therefore, the client can instruct the server to establish an FTP data connection with any host the server can access, even if the client does not have access to it.

The Problem

An outside attacker can use the FTP server to open connections which appear to originate from the server. This could be used to bypass the access control restrictions.

Other related CVE entries:
CVE 2002-0139 SpoonFTP
CAN 2002-0222 Etype Eserv 2.97

Resolution

Configure the FTP server not to allow connections to be established with any host other than the client. See Cert Advisory 1997-27 for information from your particular vendor. If your vendor's FTP server does not allow this feature to be disabled, and there is no patch available, consider installing the latest version of wu-ftpd, which does not have this problem.

Since the FTP protocol specifies that the PORT command may be used to establish a connection with any host, it is possible, though unlikely, that this solution could affect certain applications that use FTP.

Where can I read more about this?

A detailed description of this vulnerability can be found in the following document from CERT^®. CERT Advisory 1997-27 is a great place to find all vendor information, and a summary of the vulnerability. Also, FTP Bounce Attack written by Hobbit is another useful article.