Results 1 to 2 of 2

Thread: Vulnerability: Raptor Firewall FTP Bounce

  1. April 22nd, 2002, 01:00 PM #1
    s0nIc
    s0nIc is offline
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: Raptor Firewall FTP Bounce

    The Raptor Firewall can make an FTP server behind it vulnerable to the well-known
    FTP bounce vulnerability even if the FTP server used is not susceptible to this issue.




    Overview:


    While performing a penetration test for a customer, we discovered that their FTP server
    was vulnerable to the well-known FTP Bounce attack from the Internet. However, subsequent
    conversation with the customer showed that the FTP server itself (a recent version of
    wu-ftp) was not vulnerable to the FTP bounce attack.


    It appears that the Raptor Firewall's FTP proxy was somehow making the FTP server vulnerable
    to the FTP bounce vulnerability even though the FTP server itself was immune to this problem.


    The Firewall vendor (Symantec) have been informed of this issue.


    Environment:


    Firewall: Raptor 6.5.3i on Sun Solaris 7
    FTP Server: wu-ftpd on internal network with anonymous access
    Config: Using built-in Raptor FTP proxy for inbound FTP access from Internet


    Analysis:


    We verified and analysed the vulnerability using the following setup:


    1. "attacker" - A Linux system on the Internet that connects to the FTP server and
    exploits the vulnerability
    2. "victim" - A second Linux system on the Internet that is the target of the bounce attack
    3. "server" - The FTP server. External address 194.217.26.147, internal 10.1.13.5
    4. "Firewall" - The Raptor Firewall


    We verified the FTP bounce vulnerability from the Internet and used the "tcpdump" packet
    sniffer on the Internet "attacker", the Internet "victim" (target of the ftpbounce test) and the
    FTP server to determine what was going on.


    It turns out that the Raptor Firewall re-writes the inbound FTP "PORT" command and
    changes the IP address to be the Hacker's IP rather than the Victim's, and the port number
    to be another ephemeral port. This means that the FTP server cannot detect the FTP
    bounce attack because it sees the correct IP address (the one of the hacker rather than
    the victim) and an ephemeral port. However, when the FTP Server makes the outbound
    connection to this IP address and port, the Firewall re-writes the IP address and port in
    the packet to be the IP address and port of the victim which was originally specified by
    the Hacker.


    Thus, the Raptor Firewall prevents the FTP Server from detecting the FTP bounce attack, and
    permits the attack to take place. Because the FTP Server will always see the "correct" IP
    address and port in the PORT command, it cannot determine that an FTP bounce attack is
    being carried out and will accept the command.


    Further information:


    Further information, including annotated "tcpdump" packet traces are available at:


    http://www.nta-monitor.com/news/raptor-set.htm

    Source: http://www.xatrix.org/article1386.html
    Reply With Quote Reply With Quote
  2. April 22nd, 2002, 01:07 PM #2
    VictorKaum
    VictorKaum is offline
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    I have to say: this is a very cool method to hide your IP if you plan to attack a site.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules