Re: ws_ftp pro 6.51 exposes internal IP addresses

[Iván Arce <core.lists.exploit-dev () CORE-SDI COM>]

OK, this is something i didnt have enough time to finish researching
but since its  being discussed i think ill attempt to explain my
theory on why it happends...

A good starting reference would be the published bug reports for
FW-1 and Cisco PIX regarding the usage of FTP control channel
information
to open holes in the firewall by exploiting problems in the stateful
inspection mechanism. Look at the bugtraq archives and vuln db for this.
Also, dugsong, Thomas Lopatic and John MacDonald did and excellent
presentation on FW-1 problems and the FTP PASV topic was discussed and
exploited at BlackHat last week.

Now i will guess that what you are describing is a similar problem in
the NAT code, that fails to rewrite the internal address of the FTP
server with the external (publicly known) IP of same.
This can happend if the connecting client advertises a MSS that makes
the server fragment the packets going back to the client in a way such
that the NAT code fails to detect it as a response to a PASV command.
Apparently ws_ftp is doing so and other ftp clients just dont bother
to change the MSS or provide a big enough one to avoid the problem.

230 User xxxxx logged in.
PWD
257 "/" is current directory.
Host type (I): Microsoft NT
PORT 209,74,14,36,6,60
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
! Accept error: Blocking call cancelled
! Retrieve of folder listing failed (0)
QUIT
425 Can't open data connection.
- -
connecting to 216.37.xx.xx:2100
Connected to 216.37.xx.xx port 2100
220 saranac Microsoft FTP Service (Version 5.0).
USER xxx
331 Password required for xxxx.
PASS (hidden)
230-========================================
<snip>
230-
230-
230 User xxxx logged in.
PWD
257 "/" is current directory.
Host type (I): Microsoft NT
PASV
227 Entering Passive Mode (192,168,1,5,6,184).
connecting to 192.168.1.5:1720
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The fact that this is visible on the client side implies that
the NAT code didnt rewrite the address. A *VERY* quick look at
OpenBSD's nat code points to sys/netinet/ip_ftp_pxy.c as the
probable offender.
And im stating this because you said that the problem does not
appear with other FTP clients, that makes me think that you are
in fact using address rewritting in the FTP control channel.

*IF* the above probes right, the issue is not a ws_ftp client
problem, its an ipnat problem and other NAT implementations are
likely to have this problem.

And, as a side note, i'd like to point out that this brings in a more
'philosophycal' discussion:

NAT is not a security enhancing feature and you should not rely on
your addresses being hidden for any security scheme you conceive.

-ivan

Crawling KingSnake wrote:
> How so is this an administrative issue?  ws_ftp is the only one that does
> this.  Other clients connect successfully using PASV mode.  Maybe you should
> reread the statement and not be so quick to jump on the "administrator at
> fault" excuse.  The server does not have the bounce attack enabled but the
> client must use PASV to connect because of the firewall.  Those are two
> different issues.  Please try to understand the situation before responding
> since these responses prove wasteful.
>
> On Mon, Jul 31, 2000 at 09:07:13AM -0400, Crawling KingSnake wrote:
> > ws_ftp pro 6.51 exposes internal IP addresses when connecting using PASV
> <snip>
> > Vendor was notified but no response.
>
> what is the vendor supposed to do? This is an administration issue. If you
> are protecting your network via a firewall, and you intend to hide all
> aspects
> of your network hierarchy, then you'll want to disable passive ftp.
>
> Unless ws_ftpd is not capable of disabling passive ftp, this doesnt sound
> like
> a vendor issue.
>
> <ss>
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com/?sr=signup

--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com