[25128] in bugtraq
Re: Raptor Firewall FTP Bounce vulnerability
daemon@ATHENA.MIT.EDU (William Aguilar)
Wed Apr 17 21:27:07 2002
Date: 17 Apr 2002 21:06:11 -0000
Message-ID: <20020417210611.2086.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: William Aguilar <waguilar@symantec.com>
To: bugtraq@securityfocus.com
In-Reply-To: <4.3.2.7.2.20020415144003.00ae4730@192.168.124.1>
Symantec Enterprise Firewall FTP Bounce
Vulnerability
Date Discovered
April 16, 2002
Risk
Medium (dependent on customer configuration)
Affected Versions:
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall V7.0 (Solaris)
Overview
Symantec is aware of an FTP Bounce Vulnerability
condition reported in Bugtraq ID# 267784
(http://online.securityfocus.com/archive/1/267784).
This potential vulnerability could affect some
Symantec Enterprise Firewall deployments. Using
this FTP-protocol based vulnerability, an attacker
could potentially hide an attack by using the firewall
identity against an unsuspecting and unprotected
external machine. In addition, by overwriting the
PORT command with its own internal address, the
firewall overwrites the FTP-server built-in protection
mechanism that protects against this type of attack.
Recommendation
If the FTP Bounce Attack affects your deployment,
please make sure you apply the related hotfix
available from the Symantec Enterprise Support site.
This hotfix is an enhanced version of our FTPd
module for the affected platforms that extends the
protection currently provided by the firewall. We are
currently investigating if this problem impacts our
remaining supported products and platforms and we
will release enhanced versions of the FTPd module
as necessary.
This module update is available for download from
the Symantec Enterprise Support site
(http://www.symantec.com/techsupp). The following
enhancements have been made to the FTPd module
for Solaris:
1) By default, if the firewall detects a PORT
request destined for an IP address other than the IP
address of the FTP client, it will log the following
warning:
“353 Warning: PORT command referenced a
destination (x.x.x.x) that doesn't match control
channel (y.y.y.y): possible Bounce attack? To enforce
strict PORT checking please
set “ftpd.allow_address_mismatch=False” in the
Config.cf file.”
If the firewall administrator decides that this is not a
problem in their environment, they can disable this
Warning message by setting the following Config.cf
variable:
ftpd.suppress_address_mismatch_warning=True
(default is False)
2) If the firewall administrator wishes to
enforce strict PORT command checking and block
any PORT requests that reference a different
address than the original FTP client IP they can set
the following Config.cf variable:
ftpd.allow_address_mismatch=False (default is True)
By enforcing “strict” PORT checking on the firewall,
security administrators do not have to make sure that
all of their FTP servers are patched or configured to
block the FTP Bounce Attack.
These security enhancements were verified by
Symantec and ICSA Labs (www.icsalabs.com). The
new features will extend the enterprise-level
protection provided by our FTP proxy which among
other checks already includes protection against FTP
Bounce attacks off the firewall itself, blocking PORT
commands that select a well-known port, FTP
strong/weak user authentication methods, GET/PUT
granular security policies, FTP protocol and
command verification, and transparent address
hiding.
Technical Description
The FTP Bounce attack exploits a known design flaw
in the FTP standard. All RFC compliant FTP servers
must support the PORT command. The PORT
command is used between an FTP client and server
to coordinate the data channel connection between
the two devices. The RFC dictates that a connection
for the data channel should be allowed to any IP
address and any port. However, this RFC-
compliancy renders FTP Servers vulnerable to
misuse of the PORT command. For a more detailed
explanation of this issue please see CERTŪ Advisory
CA-1997-27 FTP Bounce and the related technical tip.
The Symantec Enterprise Firewall automatically
rewrites the PORT command with either the address
of the client machine or the firewall address. In either
case when the PORT request reaches the FTP
server, the PORT command will match the source
address of the FTP client. If configured, the FTP
server scans the packet to make sure the PORT
command matches the IP address of the client, and
in all cases it does. The FTP server then attempts to
open a data connection to the client IP address,
which then gets translated by the firewall to the
victim’s IP address. This is not a desired behavior
since it gives the security administrator a false sense
of protection from an FTP bounce attack.
Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this Alert electronically is
granted as long as it is not edited in any way unless
authorized by Symantec Security Response.
Reprinting the whole or part of this Alert in medium
other than electronically requires permission from
symsecurity@symantec.com.
Disclaimer:
The information in the advisory is believed to be
accurate at the time of printing based on currently
available information. Use of the information
constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this
information. Neither the author nor the publisher
accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or
reliance on this information.
Symantec, Symantec products, Symantec Security
Response, and SymSecurity are Registered
Trademarks of Symantec Corp. and/or affiliated
companies in the United States and other countries.
All other registered and unregistered trademarks
represented in this document are the sole property of
their respective companies/owners.
