Contents

Manipulating FTP Clients Using The PASV Command

Author: mark@bindshell.net
Published: 4th March 2007
Version: 1.0

Summary

A common implementation flaw in FTP clients allows FTP servers to cause clients to connect to other hosts. This seemly small vulnerability has some interesting consequences for web browser security.

This paper discusses the FTP client flaw in detail and demonstrates how it can be used to attack common web browsers such as Konqueror, Opera and Firefox. Proof of concept code is presented that extends existing JavaScript port-scanning techniques to scan any TCP port from Firefox (even though it now implements "port banning" restrictions). Because of the way the same-origin policy is applied it is also possible to perform banner-grabbing scans against arbitrary hosts. Finally, for services that don't return a banner an alternative fingerprinting technique is demonstrated which measures the time it takes servers to close inactive TCP connections.

Paper

This paper is available in PDF format only at present:
http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf

Proof of Concept Code

The code which accompanies this paper is available here:
http://bindshell.net/papers/ftppasv/ftp-pasv-poc-v1.0.zip

Mozilla Fix Information

The recommendation for Firefox to ignore the IP address sent in FTP PASV responses has been implemented in Firefox 2.0.0.3 and Firefox 1.5.0.11.

Bug Numbers

Bugtraq IDs 23082, 23089

Mozilla Bugzilla Number 370559

Mozilla Advisory 2007-11

SecurityTracker IDs 1017802, 1017801, 1017800

Some Follow Up

Thanks to all those who have given feedback. Here are some notes based on the what people have said:

Some notes on trying out the PoC code:
http://www.mcgrewsecurity.com/blog/?p=8

Another way to bypass Firefox port-banning for port 22:
http://jeremiahgrossman.blogspot.com/2006/11/bypassing-mozilla-port-blocking.html

A reason FTP clients might want to follow PASV responses to other IP addresses:
http://www.drftpd.org/index.php/Distributed_PASV

A method for portscanning from Firefox without using JavaScript. This could be combined with other methods to bypass port banning. Even Noscript users would be vulnerable then (to plain port-scanning, that is, not banner-grabbing):
http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html

Banner grabbing takes ages. As soon as users browse away from the page, the scan stops. Some sort of distraction on the page would be necessary in a real attack - maybe a flash movie or game.

Last updated by Wade on 23-Apr-07 at 12:20pm