FTP Bounce Vulnerability Found
CVE 1999-0017
Impact
A malicious user may be able to create a connection between the FTP server
and any other system on an arbitrary port. The connection could be used
to bypass access control restrictions and allow an attacker to
scan ports on private networks.
Background
An FTP session consists of two connections between the client
and the server. The control connection is initiated by
the client and allows the client to send commands to the server.
When the client wants to transfer data to or from the server,
it issues a PORT command. The PORT
command instructs the server to open a data connection which
is used to transfer the data.
The PORT command is normally used only to open
connections between the server and the client. However, the FTP protocol
specifies that the PORT command may be used to open
connections between the server and any other host. Therefore, the client
can instruct the server to establish an FTP data connection
with any host the server can access, even if the client does not have
access to it.
The Problem
An outside attacker can use the FTP server to
open connections which appear to originate from
the server. This could be used to bypass the access control
restrictions.
Other related CVE entries:
CVE 2002-0139 SpoonFTP
CAN 2002-0222 Etype Eserv 2.97
Resolution
Configure the FTP server not to allow connections to be established with
any host other than the client. See
Cert Advisory 1997-27 for information from your particular vendor.
If your vendor's FTP server does not allow this feature to be disabled,
and there is no patch available, consider installing the latest
version of wu-ftpd, which
does not have this problem.
Since the FTP protocol specifies that the PORT command
may be used to establish a connection with any host, it is possible,
though unlikely, that this solution could affect certain
applications that use FTP.
Where can I read more about this?
A detailed description of this vulnerability can be found in
the following
document from CERT®.
CERT Advisory 1997-27 is a great place to
find all vendor information, and a summary of the vulnerability.
Also, FTP Bounce Attack
written by Hobbit is another useful article.