Vulnerability Note VU#2558
File Transfer Protocol allows data connection hijacking via PASV mode race condition
There is a vulnerability in the File Transfer Protocol (FTP) that allows an attacker to hijack FTP data connections when the client connects using passive mode (PASV).
In FTP PASV mode, the client makes a control connection to the FTP server (typically port 21/tcp) and requests a PASV data connection. The server responds by listening for client connections on a specified port number, which is supplied to the client via the control connection. If an attacker can make a connection to the listening port before the client connects, the server will transmit the data to the attacker instead of the client.
To exploit this vulnerability, the attacker must intercept or guess the port number that the server will use, then make its connection attempt before the client establishes a data connection. If the server chooses port numbers using an easily identifiable pattern (such as incrementally), this vulnerability is trivial to exploit.
Remote intruders can hijack data requested by a legitimate user. It may also be possible to insert data on to an FTP server if the server is acting in a peering (mirroring) relationship with another server.
Apply a patch from your vendor
Reject data connections from hosts that do not match the control connection host
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cray Inc.||Affected||29 Apr 2002||30 Apr 2002|
|Hewlett-Packard Company||Affected||29 Apr 2002||02 May 2002|
|Red Hat Inc.||Affected||29 Apr 2002||30 Apr 2002|
|SGI||Affected||29 Apr 2002||26 Mar 2003|
|WU-FTPD Development Group||Affected||15 Feb 1999||30 Apr 2002|
|Apple Computer Inc.||Unknown||29 Apr 2002||29 Apr 2002|
|BSDI||Unknown||29 Apr 2002||29 Apr 2002|
|Cisco Systems Inc.||Unknown||29 Apr 2002||16 May 2002|
|Data General||Unknown||29 Apr 2002||29 Apr 2002|
|Debian||Unknown||29 Apr 2002||29 Apr 2002|
|F5 Networks||Unknown||29 Apr 2002||29 Apr 2002|
|FreeBSD||Unknown||29 Apr 2002||29 Apr 2002|
|Fujitsu||Unknown||29 Apr 2002||29 Apr 2002|
|Guardian Digital Inc.||Unknown||29 Apr 2002||29 Apr 2002|
|IBM||Unknown||29 Apr 2002||29 Apr 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks Gregory A Lundberg and Jeffrey R. Gerber for their detailed explanations of this vulnerability.
This document was written by Jeffrey P. Lanza and Jed M Pickel.
- CVE IDs: CVE-1999-0351
- Date Public: 01 Feb 99
- Date First Published: 29 Apr 2002
- Date Last Updated: 26 Mar 2003
- Severity Metric: 13.95
- Document Revision: 31
If you have feedback, comments, or additional information about this vulnerability, please send us email.