Vulnerability Note VU#2558

File Transfer Protocol allows data connection hijacking via PASV mode race condition

Original Release date: 29 Apr 2002 | Last revised: 26 Mar 2003

Overview

There is a vulnerability in the File Transfer Protocol (FTP) that allows an attacker to hijack FTP data connections when the client connects using passive mode (PASV).

Description

In FTP PASV mode, the client makes a control connection to the FTP server (typically port 21/tcp) and requests a PASV data connection. The server responds by listening for client connections on a specified port number, which is supplied to the client via the control connection. If an attacker can make a connection to the listening port before the client connects, the server will transmit the data to the attacker instead of the client.

To exploit this vulnerability, the attacker must intercept or guess the port number that the server will use, then make its connection attempt before the client establishes a data connection. If the server chooses port numbers using an easily identifiable pattern (such as incrementally), this vulnerability is trivial to exploit.

Note that this vulnerability was first discovered in February 1999, so it is likely that many FTP servers have been patched to address this issue.

Impact

Remote intruders can hijack data requested by a legitimate user. It may also be possible to insert data on to an FTP server if the server is acting in a peering (mirroring) relationship with another server.

Solution

Apply a patch from your vendor

Please see the vendor section of this document for information on obtaining patches.

Reject data connections from hosts that do not match the control connection host


One possible mitigation strategy is to reject data connections that do not originate from the same IP address as the control connection, but this has several problems. First, it makes the server not strictly compliant with RFC 959. Second, it can be defeated by an attacker on the same machine (or network, if spoofed IP addresses are used).

Use randomly selected PASV ports to decrease likelihood of interception

If the server chooses the PASV listening port randomly, it will be difficult or impossible for an attacker to determine the data port. Note that this will not protect against attackers who are able to intercept the FTP control connection because the FTP server must supply the PASV listening port to the client.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Cray Inc.Affected29 Apr 200230 Apr 2002
Hewlett-Packard CompanyAffected29 Apr 200202 May 2002
Red Hat Inc.Affected29 Apr 200230 Apr 2002
SGIAffected29 Apr 200226 Mar 2003
WU-FTPD Development GroupAffected15 Feb 199930 Apr 2002
Apple Computer Inc.Unknown29 Apr 200229 Apr 2002
BSDIUnknown29 Apr 200229 Apr 2002
Cisco Systems Inc.Unknown29 Apr 200216 May 2002
Data GeneralUnknown29 Apr 200229 Apr 2002
DebianUnknown29 Apr 200229 Apr 2002
F5 NetworksUnknown29 Apr 200229 Apr 2002
FreeBSDUnknown29 Apr 200229 Apr 2002
FujitsuUnknown29 Apr 200229 Apr 2002
Guardian Digital Inc. Unknown29 Apr 200229 Apr 2002
IBMUnknown29 Apr 200229 Apr 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Gregory A Lundberg and Jeffrey R. Gerber for their detailed explanations of this vulnerability.

This document was written by Jeffrey P. Lanza and Jed M Pickel.

Other Information

  • CVE IDs: CVE-1999-0351
  • Date Public: 01 Feb 99
  • Date First Published: 29 Apr 2002
  • Date Last Updated: 26 Mar 2003
  • Severity Metric: 13.95
  • Document Revision: 31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.