Vulnerability Development mailing list archives
Re: ws_ftp pro 6.51 exposes internal IP addresses
From: "Vachon, Scott" <Scott.Vachon () PAYMENTECH COM>
Date: Tue, 1 Aug 2000 09:22:32 -0500
In fact I witnessed this very thing yesterday when trying to update a website (located at Xoom.com) for a friend using ws_ftp. Network Ice detected the attempt. I think I may still have the logs if anyone is interested. -----Original Message----- From: Crawling KingSnake [mailto:kingsnake () MINISTER COM] Sent: Monday, July 31, 2000 9:07 AM To: VULN-DEV () SECURITYFOCUS COM Subject: ws_ftp pro 6.51 exposes internal IP addresses ws_ftp pro 6.51 exposes internal IP addresses when connecting using PASV mode and the target site is using ipfilter. This was tested on a network using OpenBSD 2.7 as the firewall/gateway with several internally addressed machines running different server applications. Here is a log: 230 User xxxxx logged in. PWD 257 "/" is current directory. Host type (I): Microsoft NT PORT 209,74,14,36,6,60 200 PORT command successful. LIST 150 Opening ASCII mode data connection for /bin/ls. ! Accept error: Blocking call cancelled ! Retrieve of folder listing failed (0) QUIT 425 Can't open data connection. - - connecting to 216.37.xx.xx:2100 Connected to 216.37.xx.xx port 2100 220 saranac Microsoft FTP Service (Version 5.0). USER xxx 331 Password required for xxxx. PASS (hidden) 230-======================================== <snip> 230- 230- 230 User xxxx logged in. PWD 257 "/" is current directory. Host type (I): Microsoft NT PASV 227 Entering Passive Mode (192,168,1,5,6,184). connecting to 192.168.1.5:1720 - - connecting to 192.168.1.5:1720 ! Connection failed 192.168.1.5 - host unreachable ! connect: error 0 PORT 209,74,14,36,6,63 200 PORT command successful. LIST 150 Opening ASCII mode data connection for /bin/ls. ! Timer cancelled blocking call ! Accept error: Blocking call cancelled ! Retrieve of folder listing failed (0) QUIT 425 Can't open data connection. I have cleansed the log to protect the network. But as you can see the first attempt fails and somehow the internal address is exposed to ws_ftp and then to the user. The second login attempt happens automatically, immediately after the first login failure. A malicious person could use this information to specifically target the internal machines if/when a breach of the gateway box occurs. Vendor was notified but no response. Crawling King Snake ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 01)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Adam Prato (Aug 02)
- <Possible follow-ups>
- Re: ws_ftp pro 6.51 exposes internal IP addresses Vachon, Scott (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Iván Arce (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Adam Prato (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Nick (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Crawling KingSnake (Aug 02)
- Re: ws_ftp pro 6.51 exposes internal IP addresses Alun Jones (Aug 08)