Wednesday, March 21, 2007

FTP PORT command

Where I work, we maintain a popular FTP site that serves up Terabytes of weather and climate research datasets. Obviously, this particular server is a Tier 1 service for IT, so I pay close attention to security issues with this machine.

Since it's running an FTP daemon, any number of FTP exploits or abuses are attempted on it, one in particular (an oldie but goodie) is the "FTP PORT Bounce attack". My IDS triggers on this with regularity, and on occasion I double check to make sure that the server isn't vulnerable to it.

Understanding the attack first requires understanding what the FTP PORT command does. In the FTP world, the PORT command isn't as common as it was previously since most sites have migrated away from "active" FTP to "passive" FTP. The PORT command was a standard part of an active FTP session, and while we encourage passive FTP, we still see active sessions being used legitimately. During an Active FTP session, when data is being sent over the data channel (not the command channel), the server initiates the connection to the client on the port number specified. The PORT command's syntax is:

PORT X1,X2,X3,X4,P1,P2

where X1, X2, X3, X4 are the IP address and P1, P2 are translated into a port number by multiplying P1 by 256 and then adding the resulting number to P2. So, for example, a packet capture that contains the following:

PORT 172,16,4,128,16,155

is trying to setup an active FTP session to 172.16.4.128 on port 4251 ((16*256) + 155).

There are a number of ways that this can be abused. Earlier versions of FTP server software didn't check the IP address supplied to make sure that it matched the IP address that it was sent from. This allowed the following to be accomplished:

- port scanning
An attacker can use a vulnerable FTP server to do port scanning for them. By specifying the IP address of the victim and stepping through the port numbers that the attacker is curious about, the FTP server can be used to port scan a victim with the added advantage of the scan appearing to come from the FTP server, not the attacker.

- bypass firewalls
Because the connection is initiated by the FTP server and not the attacker, packet filter devices maybe configured to allow traffic to traverse the firewall if the connection comes from a "trusted host" such as the FTP server.

Enjoy.

Labels: , ,

3 Comments:

At 12:59 PM, Blogger Rich said...

In this example you have shown here, how does the ftp client choose P1 and P2 (I understand where x1,2,3,4 come from).

Is that chosen randomly?

 
At 3:44 PM, Blogger Richard H. Fifarek said...

Each client on each OS is likely to do it (slightly) different, but the general rule of thumb is that it will choose a port above 1024 ("ephemeral ports") that isn't currently in use. Beyond that, it's "random" as you said.

 
At 6:49 AM, Blogger Profil Daddy said...

why 256??

 

Post a Comment

Links to this post:

Create a Link

<< Home