Firewalls and other systems that inspect FTP application layer traffic may not adequately maintain the state of FTP commands and responses. As a result, an attacker could establish arbitrary TCP connections to FTP servers or clients located behind a vulnerable firewall.
Many firewalls perform stateful inspection of application layer traffic, allowing them to support passive FTP and other applications that make connections using dynamically chosen ports. In the case of a passive FTP connection to an FTP server located behind a firewall, the firewall examines the application layer of the FTP control channel and interprets FTP commands and responses in order to determine what TCP ports the server is using for data connections. When a client requests a passive FTP connection by issuing the PASV command, the FTP server responds positively with a string like "227 Entering Passive Mode h1,h2,h3,h4,p1,p2", instructing the client to initiate a TCP connection to IP address h1,h2,h3,h4 on port p1,p2. The firewall monitors this string and creates a dynamic rule allowing an inbound TCP connection from the client to the server on the specified port.
Some firewalls create dynamic rules without assuring that the PASV response string is part of a legitimate FTP connection.
It is possible that similar vulnerabilities exist in the way firewalls handle other applications that use dynamic ports. FTP application layer gateways and proxy servers may also be affected.
An FTP server or FTP client running on an operating system that does not accept partial acknowledgement of TCP data segments is not susceptible to this specific attack.
FTP servers that do not pad 3-digit numbers within multi-line responses exacerbate this problem by making it difficult for firewalls to recognize legitimate FTP status codes (VU#288905). From section 4.2 of RFC 959:
If an intermediary line begins with a 3-digit number, the Server must pad the front to avoid confusion.
In rare cases where these routines are able to generate three digits and a Space at the beginning of any line, the beginning of each text line should be offset by some neutral text, like Space.
A remote attacker may be able to access TCP ports on an FTP server or client that is behind a vulnerable firewall system, which could expose other network services to attack.
Apply Patch or Upgrade
Apply the appropriate patch or upgrade as specified by your vendor.
IP Filter Affected
Alcatel Not Affected
Apple Computer Inc. Not Affected
Avaya Not Affected
Borderware Not Affected
Check Point Not Affected
Cisco Systems Inc. Not Affected
Clavister Not Affected
Cray Inc. Not Affected
GNU netfilter Not Affected
Global Technology Associates Not Affected
Hewlett-Packard Company Not Affected
IBM Not Affected
Intoto Not Affected
Microsoft Corporation Not Affected
NEC Corporation Not Affected
NetScreen Not Affected
Nortel Networks Not Affected
OpenBSD Not Affected
Secure Computing Corporation Not Affected
SecureWorx Not Affected
Stonesoft Not Affected
Sun Microsystems Inc. Not Affected
Symantec Not Affected
eSoft Not Affected
The CERT/CC thanks Mikael Olsson of Clavister AB and Al Potter of ICSA Labs for reporting this vulnerability and providing information used in this document.
This document was written by Art Manion.
|Date First Published:||2002-10-08|
|Date Last Updated:||2003-03-07 21:59 UTC|