**************************************************************************
Security Bulletin 9730 DISA Defense Communications System
December 11, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL) 1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
=============================================================================
- -----------------------------------------------------------------------------
In some implementations of FTP daemons, the PORT command can be misused to open a connection to a port of the attacker's choosing on a machine that the attacker could not have accessed directly. There have been ongoing discussions about this problem (called "FTP bounce") for several years, and some vendors have developed solutions for this problem.
The CERT/CC staff urges you to install a comprehensive patch if one is available. Until then, we recommend the wu-ftpd package identified in Section III.B. as a workaround.
We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
In the past few years there have been ongoing discussions about a problem known as "FTP bounce." In its simplest terms, the problem is based on the misuse of the PORT command in the FTP protocol.
ftp://ftp.cert.org/pub/tech_tips/FTP_PORT_attacks
The core component of the problem is that by using the PORT command in active FTP mode, an attacker may be able to establish connections to arbitrary ports on machines other than the originating client. This behavior is RFC compliant, but it is also potentially a source of security problems for some sites. The example attacks described in the tech tip demonstrate the potential of this vulnerability.
An attacker may be able to establish a connection between the FTP server machine and an arbitrary port on another system. This connection may be used to bypass access controls that would otherwise apply.
Because the core element of the attack (the FTP server can establish connections to arbitrary machines and arbitrary ports) is also a required component for RFC compliance, there is no clear-cut solution. With this in mind, we urge you to carefully consider the type of service that your site offers.
The best solution solely from a security perspective is to ensure that your FTP server software cannot establish connections to arbitrary machines. However, sites that rely on the RFC-compliant behavior may find that implementing this solution will affect applications that they use. (We have not received any first-hand reports of such cases.) Consequently, many vendors offer solutions that allow sites offering the FTP service to make the choice that best suits them. You should check to see what type of behavior your vendor's FTP daemon adopts (Section A).
If you wish to implement an FTP service that does not allow this attack and your vendor does not offer a daemon with this functionality, consider using the wu-ftpd package described in Section B. Other steps you can take are described in Section C.
It is our experience that vendor implementations fall into one of these groups:
(1) strict conformance with RFC functionality: The PORT command
may be used to connect directly to a third-party machine, and this is the only functionality allowed. Some vendors who choose to maintain strict conformance have addressed this problem by modifying all other network services to reject connections originating from the FTP data port (port 20).
(2) strict suppression of the PORT command: The PORT command may
be used to connect to the originating client, and this is the only functionality allowed.
(3) variable PORT command behavior: The PORT command may be used
in either of the above two ways, with one way being the default. Switching between them is usually achieved with a command line parameter. You should be careful to verify which is the default.
Appendix A contains a list of vendors who have provided
information about this problem. We will update the appendix as
we receive more information. If you do not see your vendor's name,
the CERT/CC did not hear from that vendor. Please contact your
vendor directly.
B. Use the wu-ftpd package as a workaround.
The wu-ftpd package addresses the FTP bounce problem by ensuring that the PORT command cannot be used to establish connections to machines other than the originating client. Please read the wu-ftpd README file "FIXES-2.4-HOBBIT" before installing the package.
The latest version of wu-ftpd, which we recommend, is available from
ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-15.tar.Z
DFN-CERT mirrors this software at
ftp://ftp.cert.dfn.de/pub/tools/net/wuarchive-ftpd/academ-betas/wu-ftpd-2.4.2-beta-15.tar.Z
MD5 (wu-ftpd-2.4.2-beta-15.tar.Z) = 6c8172b83ab2545a5b91a9aba4840630
If you use a previous version (whether a beta version or full release), do not assume that your site is immune from these problems or other problems discussed in previous advisories.
Some attacks rely on an intermediate file being uploaded to one or more server machines via (usually anonymous) FTP. This file is used in a later phase of the attack.
Your site should offer anonymous upload facilities only if it is
absolutely necessary. Even then, you must carefully configure the
incoming area. For further details, see "Anonymous FTP Configuration
Guidelines" at
ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config
Note that these steps only repel attacks that rely on intermediate uploads. The steps are not effective against other attacks.
If your site allows file uploads, we urge your to
ensure that the FTP service restricts the PORT command so that
it can only be used to connect to the originating client.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Below is a list of the vendors who have provided
information for this advisory. We will update this appendix as
we receive additional information. If you do not see your vendor's
name, the CERT/CC did not hear from that vendor. Please contact
the vendor directly.
- ------------------------------------------
The ftpd supplied with Unicos and Unicos/mk is currently in category 1.
We are working to make it category 3.
- -------------------
FreeBSD 2.2.0 and all later releases do not allow
the FTP bounce attack (unless explicitly allowed by the -R option).
FreeBSD 2.1.7 and earlier releases can be abused by the bounce
attack.
- -----------------------
This problem is addressed HP Security Bulletin 028. This bulletin can be found at one of these URLs:
************************************************************************
************************************************************************
Current Original
-------------------- --------------------
s300 8.00: None s300 8.00: None
s300 9.00: PHNE_6146 s300 9.00: PHNE_6146
s300 9.03: PHNE_6146 s300 9.03: PHNE_6146
s300 9.10: PHNE_6146 s300 9.10: PHNE_6146
s700 8.05: None s700 8.05: None
s700 8.07: None s700 8.07: None
s700 9.01: PHNE_10008 s700 9.01: PHNE_6013
s700 9.03: PHNE_10008 s700 9.03: PHNE_6013
s700 9.05: PHNE_10008 s700 9.05: PHNE_6013
s700 9.07: PHNE_10008 s700 9.07: PHNE_6013
s700 9.09: PHNE_6169 s700 9.09: PHNE_6169
PHNE_6170 PHNE_6170
s700 10.00: PHNE_10009 s700 10.00: PHNE_6014
s700 10.01: PHNE_10009 s700 10.01: PHNE_6014
s700 10.09: PHNE_5965 s700 10.09: PHNE_5965
s700 10.10: PHNE_10009 s700 10.10: None
s700 10.16: None s700 10.16: None
s700 10.20: None s700 10.20: None
s700 10.24: None s700 10.24: None
s700 10.30: None s700 10.30: None
s800 8.00: None s800 8.00: None
s800 8.02: None s800 8.02: None
s800 8.06: None s800 8.06: None
s800 9.00: PHNE_10008 s800 9.00: PHNE_6013
s800 9.04: PHNE_10008 s800 9.04: PHNE_6013
s800 9.08: PHNE_6171 s800 9.08: PHNE_6171
s800 10.00: PHNE_10009 s800 10.00: PHNE_6014
s800 10.01: PHNE_10009 s800 10.01: PHNE_6014
s800 10.09: None s800 10.09: None
s800 10.10: PHNE_10009 s800 10.10: None
s800 10.16: None s800 10.16: None
s800 10.20: None s800 10.20: None
s800 10.24: None s800 10.24: None
s800 10.30: None s800 10.30: None
***************************************************************************
***************************************************************************
Hewlett Packard's HP-UX patches/Security Bulletins/Security patches are available via email and/or WWW (via the browser of your choice) on HP Supportline (HPSL).
---------------------------------------------------------------------
To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine Digest service via electronic mail, do the following:
1) From your Web browser, access the URL:
http://us-support.external.hp.com (US,Canada,Asia-Pacific, and Latin-America)
http://europe-support.external.hp.com (Europe)
Login with your user ID and password, or register
for one (remember to save the User ID assigned to you, and your
password). Once you are on the Main Menu, Click on the Technical
Knowledge Database, and it will connect to a HP Search Technical
Knowledge DB page. Near the bottom is a hyperlink to our Security
Bulletin archive. Once in the archive there is another link to
our current security patch matrix. Updated daily, this matrix
is categorized by platform/OS release, and by bulletin topic.
- ---------------
All AIX ftp servers are vulnerable to the FTP bounce attack. The following fixes are in progress:
APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to aixserv@austin.ibm.com with a subject
of "FixDist".
- -------
This problem is fixed in MGFTP V2.2-2, which was
released several months ago. That version restricts the port numbers
to ports above 1024. However, it does not block access to third-party
machines. V2.2-4, scheduled for release next week, will do that
as well.
- ---------------------
We prevent this attack by disallowing "third party" transfers. This is done via a modification to our implementation of the PORT command. When the FTP server receives a PORT command, the specified IP address *must* match the client's source IP address for the control channel.
In other words, then the client sends a PORT command to the FTP server, giving the server an IP address & port number to connect back to the client for the data transfer, the IP address *must* be the client's original IP address.
We have one other fix in which we disallow the PORT
command from specifying reserved ports (those less than 1024)
except port 20 (the default data port). By default, any client
attempt to issue a port command with (port < 1024 &&
port != 20) will cause the PORT command to fail. This check can
be disabled setting the EnablePortAttack registry value.
- ---------------
NCR is delivering a set of operating system dependent patches which contain an update for this problem. Accompanying each patch is a README file which discusses the general purpose of the patch and describes how to apply it to your system.
Recommended solution: Apply one of the following patches depending on the revision of the inet package installed on your system. To check its version execute:
pkginfo -x inet
For inet 5.01.xx.xx: - PINET501 (Version later than 05.01.01.62)
For inet 6.01.xx.xx: - PINET601 (Version later than 06.01.00.22)
For inet 6.02.xx.xx: - PINET602 (Version later than 06.02.00.03)
After installation of the respective patch, the default
behavior will be to protect from this vulnerability.. A new ftpd
man-page describe how to enable the old RFC compliant behavior.
- ------------------
There are no patches for NetBSD 1.2.1 or prior, however the ftpd sources available from:
ftp.netbsd.org:/pub/NetBSD/NetBSD-current/src/libexec/ftpd
should work on a NetBSD 1.2.1 machine.
- -------------------
FTP bounce can be fixed in the operating system by
fixing all vulnerable services by checking for connections from
port 20. Since this has been done in OpenBSD, OpenBSD is not vulnerable
and does NOT NEED the variable port command. The solution applies
since OpenBSD 2.1 (ie. it applies for both 2.1 and for 2.2).
- ----------------
We ship wu-ftpd, so this isn't a problem for us.
The Santa Cruz Operation, Inc.
- ------------------------------
SCO has determined that the following Operating systems are vulnerable
to the ftp-bounce attack :-
UnixWare 2.1
ODT 3.0
CMW+
We are currently working on a fix to this problem.
- --------------------------------------
Patches will be developed (as necessary) and made
available via your Siemens-Nixdorf customers service.
Sun Microsystems, Inc.
- ----------------------
Sun's FTP server software in SunOS 4.1.x and 5.x allow PORT requests to make data connections to arbitrary hosts. Prior to SunOS 2.6, Sun's FTP server software also allows data connections to arbitrary ports.
In SunOS 2.6, the FTP server software does not accept PORT requests to make data connections to well-known (privileged) ports. Sun has also released the following patches that prevent Sun's FTP server software from accepting PORT requests to make data connections to well-known ports for the following SunOS releases:
Sun recommends that sites that do not require their FTP server make connections to arbitrary hosts consider using wu-ftpd as a workaround.
- -----------------------------------------------------------------------------
The CERT Coordination Center thanks AUSCERT and DFN-CERT for helping develop this advisory. We also thank Steve Bellovin and the vendors who offered valuable comments on the problem and solutions: BSDI, Hewlett-Packard, Livingston, NetBSD, OpenBSD, Sun Microsystems.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised,
contact the CERT Coordination Center or your representative in
the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/).
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
ftp://ftp.cert.org/pub/CERT_PGP.key
CERT publications and other security information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line.
*CERT is registered in the U.S. Patent and Trademark Office.
- ---------------------------------------------------------------------------
This file: ftp://ftp.cert.org/pub/cert_advisories/CA-97.27.FTP_bounce
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government. The
opinions of the authors expressed herein do not necessarily state
or reflect those of the United States Government, and shall not
be used for advertising or product endorsement purposes.