EServ FTP Server Allows Remote Users to Generate Bounce Attacks Against Remote Servers and Allows Remote Users to Cause Denial of Service Conditions on the Server
|
Date: Jan 29 2002
|
Impact: Denial of service via network, Host/resource access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.97
|
Description: Two vulnerabilities were reported in EServ's FTP server. A remote user can prevent other users from using passive mode. A remote user can also conduct 'bounce attacks' against arbitrary ports on arbitrary remote servers.
It is reported that the FTP server does not close sockets that are allocated when a remote user invokes the PASV command. A remote
user can connect repeatedly to the server to cause it to listen on all ports from 1024 to 5000, after which no other remote users
can use the PASV command. A restart is required to return the server to normal operations.
It is also reported that the FTP
server can be used in a 'bounce attack', as there is apparently no restriction on the IP address or the port number that the server
will open the data connection to.
A remote user can connect to the EServ FTP server and use the PORT command to instruct the
server to open a return connection to an arbitrary IP address at an arbitrary port number.
Note that this behavior is specified
by the applicable RFCs. However, many FTP servers allow for the PORT command to be restricted to avoid FTP bounce attacks.
For
more information on FTP bounce attacks, see:
http://www.cert.org/tech_tips/ftp_port_attacks.html
|
Impact: A remote user can prevent other users from using passive mode, requiring a server restart to return to normal operations.
A
remote user can also cause the EServ FTP server to open connections to other servers. These connections could be used in a variety
of attacks.
|
Solution: The vendor has released a fixed version (2.98), available at:
ftp://ftp.eserv.ru/pub/beta/2.98/
The author of the report provides
the following directions:
"Download the zip file and unzip the exe file inside so it overwrites the exe file from version 2.97."
|
Vendor URL: www.eserv.ru/eserv/ (Links to External Site)
|
Cause: Configuration error, Resource error
|
Underlying OS: Windows (Any)
|
Reported By: "Arne Vidstrom" <arne.vidstrom@ntsecurity.nu>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 29 Jan 2002 22:33:00 +0100
From: "Arne Vidstrom" <arne.vidstrom@ntsecurity.nu>
Subject: Vulnerabilities in EServ 2.97
|
There are a couple of vulnerabilities in EServ 2.97.
*** Vulnerability #1 ***
The FTP server doesn't close the sockets that are allocated from using the
PASV command. After all ports from 1024 to 5000 are listening (after running
a lot of PASV commands in a row) no users can use passive mode anymore until
the server is restarted.
This vulnerability is made even worse by the fact that the PASV command is
accepted before the user has authenticated.
*** Vulnerability #2 ***
The FTP server is vulnerable to the bounce attack. Not only does it not have
a restriction on the IP address that the data connection is opened to, but
it also does not have a restriction on the target port number at all.
*** Vendor response ***
The lastest beta version fixes these two vulnerabilities and it can be found
at:
ftp://ftp.eserv.ru/pub/beta/2.98/
Download the zip file and unzip the exe file inside so it overwrites the exe
file from version 2.97.
/Arne Vidstrom, http://ntsecurity.nu
|
|
