Greetings, Question: (quick version): Is Rhinosoft's Serv-U 4.1 truly vulnerable to an FTP_bounce attack as suggested by Nessus v. 2.0.7, or am I seeing a false positive?
Question: (detailed version): About two weeks ago, I installed Rhinosoft's Serv-U FTP Server on W2K Pro running behind a hardware firewall. Before putting it to work, I went through the settings carefully. One of the options was a check-box labeled "Block "FTP_bounce" attacks and FXP". I enabled this option. A couple of days ago, I ran a full Nessus v.2.0.7 vulnerability scan against the IP running the Serv-U server. The scan came back reasonably clean with the following exception: <------ Begin exception Service: ftp (21/tcp) Severity: High It is possible to force the FTP server to connect to third parties hosts, by using the PORT command. This problem allows intruders to use your network resources to scan other hosts, making them think the attack comes from your network, or it can even allow them to go through your firewall. Solution : Upgrade to the latest version of your FTP server, or use another FTP server. Risk factor : Medium/High CVE : CVE-1999-0017 <------ End exception I decided to question Rhinosoft about these results. That conversation went as follows: XXXXXXXXXXX = censored <------ Begin e-mail conversation Hello XXXXXXXXXXX, I am not familiar with the Nessus software. I would recommend contacting them and ask them how they figure out that there is a vulnerability. When this option is unchecked FXP transfers are not possible. Bounce Attacks are based off of FXP transfers. I would guess that their scan just detects that you are running something on port 21 so they assume you are vulnerable. Andrew H. Peterson http://www.RhinoSoft.com Voice: +1(262) 560-9627 FAX: +1(262) 560-9628 **************************************** NOTE: When replying to this message, please leave the complete history of messages intact. **************************************** ----- Original Message ----- From: "XXXXXXXXXXX" <XXXXXXXXXXX @ blahdot . com> To: <[EMAIL PROTECTED]> Sent: Thursday, August 28, 2003 9:52 AM Subject: FTP_bounce vulnerability reported by Nessus Customer Name=XXXXXXXXXXX Email= XXXXXXXXXXX @ blahdot . com Product=Serv-U Standard Product Version=4.1 Operating System=Windows 2000 Firewall/Antivirus software=XXXXXXXXXXX Firewall, AVG AntiVirus Internet Connection=T-1 Recommended KB articles= 1043, 1199 Viewed KB articles= Description: When I installed Serv-U, I went through the options and I did enable the choice to "Block "FTP_bounce" attacks and FXP", however when I do a Nessus scan, Nessus reports that there is still and FTP_bounce vulnerability. The machine has been rebooted since that option was set. <------ End e-mail conversation Following this response, I searched Google and Usenet, but found nothing useful. Next, I joined #nessus on irc.freenode.net where I received some helpful pointers that led me to find more information about the FTP_bounce plug-in it's self. During this chat, we also both tried to exploit the FTP_bounce vulnerability manually on more than one Serv-U server. Both of our attempts were unsuccessful, but neither of us was exactly sure how to accomplish the exploit. We entered the PORT command and the PORT command followed by an IP address. Both attempts yielded an error stating that PORT was an invalid command. Armed with the source code from the FTP_bounce plug-in script, I replied to Rhinosoft... That conversation went as follows: <------ Begin e-mail reply Hello, Not really. Sorry, code isn't my thing. However, I know that Serv-U hasn't been vulnerable to Bounce attacks for years. With the number of security watchdogs out there I would be surprised if Serv-U was vulnerable. I would guess that the script is faulty. Andrew H. Peterson http://www.RhinoSoft.com Voice: +1(262) 560-9627 FAX: +1(262) 560-9628 **************************************** NOTE: When replying to this message, please leave the complete history of messages intact. **************************************** ----- Original Message ----- From: "XXXXXXXXXXX" <XXXXXXXXXXX @ blahdot . com> To: "'Andrew H. Peterson'" <[EMAIL PROTECTED]> Sent: Thursday, August 28, 2003 1:12 PM Subject: RE: Re: FTP_bounce vulnerability reported by Nessus Below is the source code from the plug-in that does the FTP_bounce vulnerability test. I'm working on getting on the Nessus mailing list so that I can ask for more information. Is this helpful? <------- Begin Source # # The script code starts here : # port = get_kb_item("Services/ftp"); if(!port)port = 21; if(!get_port_state(port))exit(0); login = get_kb_item("ftp/login"); password = get_kb_item("ftp/password"); if(login) { soc = open_sock_tcp(port); if(soc) { if(ftp_log_in(socket:soc, user:login, pass:password)) { ip = get_host_ip(); last = ereg_replace(string:ip, pattern:"[0-9]*\.[0-9]*\.[0-9]*\.([0-9]*)$", replace:"\1"); last = int(last) + 1; ip = ereg_replace(string:ip, pattern:"\.", replace:","); ip = ereg_replace( pattern:"([0-9]*,[0-9]*,[0-9]*,)[0-9]*$", replace:"\1", string:ip); ip = string(ip, last); command = string("PORT ", ip, ",42,42\r\n"); send(socket:soc, data:command); code = recv(socket:soc, length:4); if(code == "200 ")security_hole(port); } close(soc); } } <-------- End Source ||-----Original Message----- <------ End e-mail reply That's all of the information I can think of to provide for this question. If I left out any important information, please don't hesitate to let me know. Thank you very much for your interest :) CroiX
