Firewall Wizards mailing list archives

Re: FTP Security

From: Bill_Royds () pch gc ca
Date: Mon, 3 May 1999 15:33:48 -0400
Default FTP is an unusual protocol in that it uses 2 separate ports. One
initiates a FTP session using port 21 from a client to  a server. Thatis the
client uses a random high number port and makes a socket with the server
listening on port 21. This control session is not used for data but an entirely
new TCP connection is created initiated by the server and listened to by the
client.  When data is about to be transmitted, the client tells the server (with
the PORT command). " I will be listening on port 34567" and opens a socket
listening on that port. The server then completes the connection forming a
socket going from server to client (SYN sent from server, ACK SYN from client
etc.). If someone in the middle captures this PORT connection he/she knows what
the next connection will be and can replace the valid data session by a spoofed
one. by sending a different IP,PORT command with same sequence number.
The FTP command PASV (passive FTP) ask the server to listen and the client to
initiate for data. This is safer for the client but not neccessarily better for
server.






"Marcelo Barbosa Lima" <marcelo.lima () dcc unicamp br> on 99-05-04 12:55:04 PM

Please respond to "Marcelo Barbosa Lima" <marcelo.lima () dcc unicamp br>

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  FTP Security






  Hi folks,

     I were reading one paper about security problems in FTP and did not
 undestand this:

    "When the data transfers are done in
    active mode, the attacker guesses the number of the TCP port where the
    target client will be doing a listen. He or she then repeatedly sends
    the ftp server to which the client is connected the commands PORT
    ip,of,client,machine,port,port RETR filename or STOR filename.

    Using RETR if he wishes to replace data transmitted to the client, and
    STOR if he is trying to intercept data the client would send to the
    server. "

    Do you agree with this? Well, i saw that the client sends his port
 number across  the control
 connection using  the PORT command. How can the atacker send (repeatdly)
 commands PORT to FTP server if he or she doesn't know TCP sequence
 numbers of the control connection  between client and server? Another
 question
 is: how can the atacker know about the control connections in a particular
 FTP server?  Netstat? I like your solutions for these problems! Sorry for
 my poor english :-).

 Thanks and Regards!


                    Marcelo B. Lima
                                  marcelo.lima () dcc unicamp br
Current thread:

FTP Security Marcelo Barbosa Lima (May 03)
- <Possible follow-ups>
- Re: FTP Security Bill_Royds (May 04)