Vulnerability Note VU#328867

Many firewalls perform stateful inspection of application layer traffic, allowing them to support passive FTP and other applications that make connections using dynamically chosen ports. In the case of a passive FTP connection to an FTP server located behind a firewall, the firewall examines the application layer of the FTP control channel and interprets FTP commands and responses in order to determine what TCP ports the server is using for data connections. When a client requests a passive FTP connection by issuing the PASV command, the FTP server responds positively with a string like "227 Entering Passive Mode h1,h2,h3,h4,p1,p2", instructing the client to initiate a TCP connection to IP address h1,h2,h3,h4 on port p1,p2. The firewall monitors this string and creates a dynamic rule allowing an inbound TCP connection from the client to the server on the specified port.

Some firewalls create dynamic rules without assuring that the PASV response string is part of a legitimate FTP connection.

An attacker who is able to log in to an FTP server behind a vulnerable firewall issues an FTP command that echoes the argument of the command back to the attacker (NLST is one example of such a command). The attacker includes a PASV response string as the argument to the command, so that the PASV response "227 Entering Passive Mode h1,h2,h3,h4,p1,p2" is echoed back through the firewall. Using a spoofed IP address and a separate TCP/IP stack (libnet and libpcap), the attacker sends specially crafted TCP packets that acknowledge (ACK) the echoed response from the FTP server up to the start of the PASV response. If the operating system used by the FTP server supports the partial acknowledgement of TCP data segments (RFC 2581), it will resend the unacknowledged data, starting with the beginning of the PASV response. A vulnerable firewall will see a properly terminated PASV response at the start of a packet and create a rule allowing the client to connect to the specified port on the FTP server.

This behavior has been previously discussed in public forums (February 2000):

• http://online.securityfocus.com/archive/1/47688/2000-02-12/2000-02-18/1
• http://online.securityfocus.com/archive/82/45571/2000-02-08/2000-02-14/1
• http://online.securityfocus.com/archive/82/45758/2000-02-08/2000-02-14/1

• using a URL with a properly padded FTP command (HTML email or web page with hostile URL sent to clients)
• using other FTP commands (STAT) to echo PORT commands or PASV responses back through the firewall
• using TCP MSS to control/lower the size of a TCP packet and properly align FTP commands and responses
• uploading a file or creating a directory with a crafted name that contains FTP commands, then using "ls" or similar to echo the command back through the firewall

If an intermediary line begins with a 3-digit number, the Server must pad the front to avoid confusion.

In rare cases where these routines are able to generate three digits and a Space at the beginning of any line, the beginning of each text line should be offset by some neutral text, like Space.

A remote attacker may be able to access TCP ports on an FTP server or client that is behind a vulnerable firewall system, which could expose other network services to attack.

Apply Patch or Upgrade
Apply the appropriate patch or upgrade as specified by your vendor.

Disable FTP Inspection

In some products it may be possible to disable the FTP application layer inspection feature, however this will most likely prevent passive FTP sessions from reaching an FTP server located behind a firewall, and may prevent active FTP sessions that originate from clients who are behind a firewall.

Restrict Access

Do not allow anonymous access to FTP servers from untrusted networks like the Internet. Note that this will only limit the number of potential sources of attacks; it will not prevent attacks from networks that are allowed to access the FTP servers.

Disable Active FTP

Do not allow untrusted FTP servers to initiate connections to FTP clients. This will prevent clients from using active FTP for data channel connections.

Secure FTP Servers

Keep exposed FTP servers up-to-date with the latest patches and disable all unnecessary services.