topic Re: FTP Vulnerability in Operating System - HP-UX

FTP Vulnerability

Sean OB_1 — Tue, 13 May 2003 16:57:44 GMT

Hello. A recent security scan came up with the following on one of our HP/UX 11.11 servers.

The FTP protocol uses a main connection, called a control connection.
Data connections may be opened in two ways:
1. active data connection
The client, before a data transfer starts, sends a PORT command on the control
connection.
2. passive data connection
The client, before a data transfer starts, sends a PASV command to the server. The server answers with the IP address and TCP port it will listen to. The client then opens this data connection to the given endpoint on the FTP
server.
In PASV mode, both control and data connections are initiated by the client, which makes this mode easier to set up across firewalls.
Some FTP servers unfortunately open ports in sequential order. The issue is that an intruder could intercept the answer to the PASV command and open the data connection before the legitimate client can do it. The intruder can then steal information (if the intended FTP command is a 'retrieve') or tamper with data on the server (if the intended FTP command is a 'store').
Please note that this TC can fail if other PASV commands are issued at the time of the test ( in this case, the port numbers returned by the server will not be sequential anymore ).

Does anyone know is there a patch for the HP ftp daemon to resolve this or do I need to look at replacing the HP ftpd with wu_ftpd or another ftp program?

TIA,

Sean

Re: FTP Vulnerability

Steven E. Protter — Tue, 13 May 2003 17:28:46 GMT

This is the only patch I found.

http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=PHNE_27765&context=hpux:800:11:11

I'm not sure it deals with this issue or not.

I recall reading forum posts that say wu-ftpd is just as good as the other possible candidates.

ftpd's real problem is that password exchange is in clear text which creates intercept possibilitiies. To avoid that you have to switch to secure shell.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

SEP

Re: FTP Vulnerability

Sean OB_1 — Tue, 13 May 2003 18:39:33 GMT

Steven,

That was the only patch I found as well, and it's already installed on the machines.

I'd really rather not have to replace FTP on their servers, as that is just another app that we'll have to track and patch separately.

Unfortunately only using SSh isn't an option on these servers because their primary appliation only supports telnet.

Re: FTP Vulnerability

Steven E. Protter — Tue, 13 May 2003 18:51:17 GMT

I'm probably confused(usually am), but you can run secure shell and ftpd and telnetd simultaneously.

Just because your primary application requires telnet doesn't mean you can't replace ftpd with sftp running from the sshd daemon.

I'm probably missing a lot, and you know the integration issues better than me.

SEP

Re: FTP Vulnerability

Chris Vail — Tue, 13 May 2003 19:00:21 GMT

This isn't an exact answer to your question, but you can limit ftp to use only designated hosts. Create the /var/adm/inetd.sec file, and give it an entry like:
ftp allow 192.168.1.100
This means that ONLY the host at that address can use ftp. Its not perfect, but it works pretty well. You can use *'s as wildcards to get a whole range of addresses. Then if you DO get hacked, you at least know where to start looking for the culprit!

Chris

Re: FTP Vulnerability

Bill Hassell — Wed, 14 May 2003 01:59:28 GMT

ftp on 11.11 is WU-FTPD so you've got the code already. 11.0 (with recent patches) also has WU-FTPD. The random sequence number issue came up a couple of years ago and I believe there was a patch to resolve it although there were caveats for compatibility issues (primarily for firewalls and proxy servers). As mentioned, changing from ftp to sftp is the preferred solution although it may not be available for other platforms.