Last updated: Wednesday, 24-Mar-1999 23:32:11 EET
The vulnerability was analyzed by:
As the FTP protocol supports third-party initiated transfers between two servers, it is possible to misuse use network and/or disk resources.
The port command can be used also as third-party port scanning: if the host inside firewall (where ftp connections from outside are allowed) can access some other computers; this makes scanning possible even if direct scanning is disabled by router or firewall configuration. The intruider can even submit data (like HTTP transactions) to inside computers if upload to ftp server is allowed.
To be successful, the server must accept port command to any host and any port. In addition, we must find a host (preferably with high-bandwidth connection) which has discard (9) and/or chargen (19) services active.
From the test network, only Solaris 2.5 hosts allowed connect to any host, any port. Other hosts refused to accept ports less than 1024. The Solaris 2.6 hosts allowed the host specified on port command to be a different one to that one where command connection originated. Other hosts than Solaris refused port command if the host was different.
The attack is easy to accomplish: only network terminal (telnet) access to ftp server port is needed. The attack can be launced from any location where ftp connections are allowed to the server.
The attack could be detected either on-wire by analysing ftp command traffic and spotting PORT commands there. The another possiblility is by analysing logs, if ftp server logs all ftp transactions (normally only transfers are logged).
Of cource, the secondary effects (strange connections to other services or disk full) can be noted.
The best protection against this attack is to use ftp server which allows only the address of control connection endpoint in port command and does not allow ports on privileged area (< 1024).
The side effect is that third-party initiated transfers are not possible. This is not a big loss as we do not know any application program that implementes this.
The PORT command was tested with different arguments (even trying to overflow 16-bit value). The vulnerable systems were ones running Solaris 2.5 and Solaris 2.6 (not privileged ports).
The port scanning was tested on Solaris 2.5 system. One could verify if some ports were listeing or not. Also third-party http-request was tested: a file containing http-request was stored on ftp server area, then poining port command to http server, the request was made successfully. This can be a serious one if the request has some side effects (updating database etc.).