FTP privileged port bounce can conceal attacker`s identity
| ftp-privileged-port (892) |  Medium Risk |
Description:
In a normal FTP (File Transfer Protocol) session, a connection is established to the FTP control port (TCP port 21). Once this control channel is established, any files to be sent are transferred on a separate connection (the data connection). The FTP client performs this procedure by sending a PORT command that contains the IP address, while the port listens for a TCP connection. The FTP server then connects back to that port and transfers the file.
In an FTP Bounce attack, the FTP client specifies a different IP address than its own to trick some FTP servers into making a connection and sending data to another host on the network. This creates the appearance that the computer is being probed or attacked by the FTP server when in fact it is the FTP client that is indirectly attacking it.
In a closely related attack, the FTP Privileged Port attack, an attacker specifies a legitimate IP address while using a privileged port for it connect back to. This allows an attacker on a multi-user system to attack her own computer while hiding her identity. This creates the appearance that the attack is originating from the FTP server.
Consequences:
Other
Remedy:
Check to see if your FTP server is vulnerable to the FTP bounce attack.
Internet Scanner users: Run a scan against the FTP server and check if it comes up vulnerable to this attack.
Apply the appropriate patch for your system, as listed in CERT Advisory CA-1997-27. See References.
As a workaround, if your FTP server is vulnerable, upgrade to the latest version of wu-ftpd (2.4.2-beta-16 or later), as listed in CERT Advisory CA-1997-27. See References.
Also, examine the Host and Port that was connected to with the bounce attack. If this is one of your own hosts, you may want to check what was done to it. If this was a host that you do not own, be aware that the administrator of that computer can see connections having originated from your FTP server, and if an attack was performed, your computer appears to be the source of those attacks. You may want to contact that administrator or at least save the logs of the original source of the attack should that administrator contact you in accordance with their security policies.
For SGI IRIX:
Upgrade to the latest version of IRIX (6.5.20 or later), or apply the appropriate patch for your system, as listed in SGI Security Advisory 20030304-01-P. See References.
References:
- CERT Advisory CA-1997-27: FTP Bounce.
- CERT Coordination Center Tech Tips: Problems With The FTP PORT Command or Why You Don't Want Just Any PORT in a Storm.
- CIAC Information Bulletin I-018A: FTP Bounce Vulnerability.
- SGI Security Advisory 20020305-02-I: IRIX FTP Bounce vulnerability.
- SGI Security Advisory 20020305-03-I: ftpd minor vulnerabilities.
- SGI Security Advisory 20030304-01-P: Multiple Vulnerabilities and Enhancements in ftpd.
- BID-126: Multiple Vendor FTP Bounce Attack Vulnerability
- CVE-1999-0017: FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.
Platforms Affected:
- HP HP-UX
- IBM AIX 3.2
- IBM AIX 4.1
- IBM AIX 4.2
- IBM AIX 4.3
- NetBSD NetBSD
- SCO SCO CMW+ 3.0
- SCO SCO OpenServer 5.0.4
- SCO SCO UnixWare 2.1.0
- SGI IRIX 6.0
- SGI IRIX 6.0.1
- SGI IRIX 6.1
- SGI IRIX 6.2
- SGI IRIX 6.3
- SGI IRIX 6.4
- SGI IRIX 6.5
- SGI IRIX 6.5.1
- SGI IRIX 6.5.10
- SGI IRIX 6.5.10f
- SGI IRIX 6.5.10m
- SGI IRIX 6.5.11
- SGI IRIX 6.5.11f
- SGI IRIX 6.5.11m
- SGI IRIX 6.5.12
- SGI IRIX 6.5.12f
- SGI IRIX 6.5.12m
- SGI IRIX 6.5.13
- SGI IRIX 6.5.13f
- SGI IRIX 6.5.13m
- SGI IRIX 6.5.14
- SGI IRIX 6.5.14f
- SGI IRIX 6.5.14m
- SGI IRIX 6.5.15
- SGI IRIX 6.5.15f
- SGI IRIX 6.5.15m
- SGI IRIX 6.5.16
- SGI IRIX 6.5.16f
- SGI IRIX 6.5.16m
- SGI IRIX 6.5.17
- SGI IRIX 6.5.17f
- SGI IRIX 6.5.17m
- SGI IRIX 6.5.18
- SGI IRIX 6.5.18f
- SGI IRIX 6.5.18m
- SGI IRIX 6.5.19
- SGI IRIX 6.5.19f
- SGI IRIX 6.5.19m
- SGI IRIX 6.5.2
- SGI IRIX 6.5.2f
- SGI IRIX 6.5.2m
- SGI IRIX 6.5.3
- SGI IRIX 6.5.3f
- SGI IRIX 6.5.3m
- SGI IRIX 6.5.4
- SGI IRIX 6.5.4f
- SGI IRIX 6.5.4m
- SGI IRIX 6.5.5
- SGI IRIX 6.5.5f
- SGI IRIX 6.5.5m
- SGI IRIX 6.5.6
- SGI IRIX 6.5.6f
- SGI IRIX 6.5.6m
- SGI IRIX 6.5.7
- SGI IRIX 6.5.7f
- SGI IRIX 6.5.7m
- SGI IRIX 6.5.8
- SGI IRIX 6.5.8f
- SGI IRIX 6.5.8m
- SGI IRIX 6.5.9
- SGI IRIX 6.5.9f
- SGI IRIX 6.5.9m
- Sun SunOS 4.1.3u1
- Sun SunOS 4.1.4
- Sun SunOS 5.3
- Sun SunOS 5.4
- Sun SunOS 5.5
- Sun SunOS 5.5.1
Reported:
Not available
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net