Re: Raptor Firewall FTP Bounce vulnerability

[William Aguilar <waguilar () symantec com>]

In-Reply-To: <4.3.2.7.2.20020415144003.00ae4730@192.168.124.1>

Symantec Enterprise Firewall FTP Bounce 
Vulnerability

Date Discovered
April 16, 2002

Risk 
Medium (dependent on customer configuration)

Affected Versions: 
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall V7.0 (Solaris)

Overview
Symantec is aware of an FTP Bounce Vulnerability 
condition reported in Bugtraq ID# 267784 
(http://online.securityfocus.com/archive/1/267784).  
This potential vulnerability could affect some 
Symantec Enterprise Firewall deployments. Using 
this FTP-protocol based vulnerability, an attacker 
could potentially hide an attack by using the firewall 
identity against an unsuspecting and unprotected 
external machine.  In addition, by overwriting the 
PORT command with its own internal address, the 
firewall overwrites the FTP-server built-in protection 
mechanism that protects against this type of attack.

Recommendation
If the FTP Bounce Attack affects your deployment, 
please make sure you apply the related hotfix 
available from the Symantec Enterprise Support site.  
This hotfix is an enhanced version of our FTPd 
module for the affected platforms that extends the 
protection currently provided by the firewall.  We are 
currently investigating if this problem impacts our 
remaining supported products and platforms and we 
will release enhanced versions of the FTPd module 
as necessary.

This module update is available for download from 
the Symantec Enterprise Support site 
(http://www.symantec.com/techsupp).  The following 
enhancements have been made to the FTPd module 
for Solaris:

1)      By default, if the firewall detects a PORT 
request destined for an IP address other than the IP 
address of the FTP client, it will log the following 
warning:

&#8220;353 Warning: PORT command referenced a 
destination (x.x.x.x) that doesn't match control 
channel (y.y.y.y): possible Bounce attack? To enforce 
strict PORT checking please 
set &#8220;ftpd.allow_address_mismatch=False&#8221; in the 
Config.cf file.&#8221;

If the firewall administrator decides that this is not a 
problem in their environment, they can disable this 
Warning message by setting the following Config.cf 
variable:

ftpd.suppress_address_mismatch_warning=True 
(default is False)

2)      If the firewall administrator wishes to 
enforce strict PORT command checking and block 
any PORT requests that reference a different 
address than the original FTP client IP they can set 
the following Config.cf variable:

ftpd.allow_address_mismatch=False (default is True)

By enforcing &#8220;strict&#8221; PORT checking on the firewall, 
security administrators do not have to make sure that 
all of their FTP servers are patched or configured to 
block the FTP Bounce Attack.

These security enhancements were verified by 
Symantec and ICSA Labs (www.icsalabs.com). The 
new features will extend the enterprise-level 
protection provided by our FTP proxy which among 
other checks already includes protection against FTP 
Bounce attacks off the firewall itself, blocking PORT 
commands that select a well-known port, FTP 
strong/weak user authentication methods, GET/PUT 
granular security policies, FTP protocol and 
command verification, and transparent address 
hiding.

Technical Description
The FTP Bounce attack exploits a known design flaw 
in the FTP standard.  All RFC compliant FTP servers 
must support the PORT command.  The PORT 
command is used between an FTP client and server 
to coordinate the data channel connection between 
the two devices.  The RFC dictates that a connection 
for the data channel should be allowed to any IP 
address and any port.  However, this RFC-
compliancy renders FTP Servers vulnerable to 
misuse of the PORT command.  For a more detailed 
explanation of this issue please see CERT® Advisory 
CA-1997-27 FTP Bounce and the related technical tip.

The Symantec Enterprise Firewall automatically 
rewrites the PORT command with either the address 
of the client machine or the firewall address.  In either 
case when the PORT request reaches the FTP 
server, the PORT command will match the source 
address of the FTP client.  If configured, the FTP 
server scans the packet to make sure the PORT 
command matches the IP address of the client, and 
in all cases it does.  The FTP server then attempts to 
open a data connection to the client IP address, 
which then gets translated by the firewall to the 
victim&#8217;s IP address.  This is not a desired behavior 
since it gives the security administrator a false sense 
of protection from an FTP bounce attack.



Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this Alert electronically is 
granted as long as it is not edited in any way unless 
authorized by Symantec Security Response. 
Reprinting the whole or part of this Alert in medium 
other than electronically requires permission from 
symsecurity () symantec com.
Disclaimer:
The information in the advisory is believed to be 
accurate at the time of printing based on currently 
available information. Use of the information 
constitutes acceptance for use in an AS IS condition. 
There are no warranties with regard to this 
information. Neither the author nor the publisher 
accepts any liability for any direct, indirect or 
consequential loss or damage arising from use of, or 
reliance on this information. 
Symantec, Symantec products, Symantec Security 
Response, and SymSecurity are Registered 
Trademarks of Symantec Corp. and/or affiliated 
companies in the United States and other countries. 
All other registered and unregistered trademarks 
represented in this document are the sole property of 
their respective companies/owners.