Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 FTP:EXPLOIT:BOUNCE-ATTACK

Severity

 High

Recommended

 No

Recommended Action

 Drop

Category

 FTP

Release Date

 2003/04/22

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

FTP: Bounce Attack


This protocol anomaly triggers when it detects an FTP bounce attack. There are two possibilities: a PORT command specified an IP address different from the client address, or a PASV command resulted in a 227 message with an IP address different than the server.

Extended Description

This problem is a design issue with the common implementation of the FTP protocol. In essence, the vulnerability is as follows: when a user FTP's into a host to retrieve files, the connection is two way (i.e. when you log in and request a file, the server then opens a connection back to your host of origin to deliver your requested data). Most FTP servers support what is called 'active mode' which allows users to specify a number of parameters to the FTP daemon. One of these is the PORT command, which lets you specify *where* you would like the return data connection to be sent. Therefore, instead of opening a connection back to yourself to drop off your requested files or data, you can then open that connection back to another host. This is true with both retrieving and putting data. Attackers can exploit this in some instances to circumvent access control, export restrictions, etc.

Affected Products

  • Digital UNIX 3.2.0 G
  • Digital UNIX 4.0.0
  • Digital UNIX 4.0.0 A
  • Digital UNIX 4.0.0 B
  • Digital UNIX 4.0.0 C
  • Digital UNIX 4.0.0 D
  • FreeBSD 1.1.5 .1
  • FreeBSD 2.0.0
  • FreeBSD 2.0.5
  • FreeBSD 2.1.0
  • FreeBSD 2.1.5
  • FreeBSD 2.1.6
  • FreeBSD 2.1.7 .1
  • HP HP-UX 10.10.0
  • HP HP-UX 10.16.0
  • HP HP-UX 10.20.0
  • HP HP-UX 11.0.0
  • HP HP-UX 7.0.0
  • HP HP-UX 7.2.0
  • HP HP-UX 7.4.0
  • HP HP-UX 7.6.0
  • HP HP-UX 7.8.0
  • HP HP-UX 9.0.0
  • HP HP-UX 9.1.0
  • HP HP-UX 9.3.0
  • HP HP-UX 9.4.0
  • HP HP-UX 9.5.0
  • HP HP-UX 9.6.0
  • HP HP-UX 9.7.0
  • HP HP-UX 9.8.0
  • HP HP-UX 9.9.0
  • HP HP-UX (VVOS) 10.24.0
  • IBM AIX 3.2.0
  • IBM AIX 4.1.0
  • IBM AIX 4.2.0
  • IBM AIX 4.2.1
  • IBM AIX 4.3.0
  • Mad Goat Software MGFTP 2.2.0
  • NetBSD 1.0.0
  • NetBSD 1.1.0
  • NetBSD 1.2.0
  • Rhino Software Serv-U 3.0.0
  • Rhino Software Serv-U 3.1.0
  • Rhino Software Serv-U 4.0.0 .0.4
  • Rhino Software Serv-U 4.1.0
  • SCO Open Desktop 3.0.0
  • SCO Open Server 5.0.0
  • SCO Unixware 2.1.0
  • SGI IRIX 3.2.0
  • SGI IRIX 3.3.0
  • SGI IRIX 3.3.1
  • SGI IRIX 3.3.2
  • SGI IRIX 3.3.3
  • SGI IRIX 4.0.0
  • SGI IRIX 4.0.1
  • SGI IRIX 4.0.2
  • SGI IRIX 4.0.3
  • SGI IRIX 4.0.4
  • SGI IRIX 4.0.5
  • SGI IRIX 4.0.5 A
  • SGI IRIX 4.0.5 D
  • SGI IRIX 4.0.5 E
  • SGI IRIX 4.0.5 F
  • SGI IRIX 4.0.5 G
  • SGI IRIX 4.0.5 H
  • SGI IRIX 5.0.0
  • SGI IRIX 5.0.1
  • SGI IRIX 5.1.0
  • SGI IRIX 5.1.1
  • SGI IRIX 5.2.0
  • SGI IRIX 5.3.0
  • SGI IRIX 6.0.0
  • SGI IRIX 6.0.1
  • SGI IRIX 6.1.0
  • SGI IRIX 6.2.0
  • SGI IRIX 6.3.0
  • SGI IRIX 6.4.0
  • SGI IRIX 6.5.0
  • SGI IRIX 6.5.1
  • SGI IRIX 6.5.2
  • SGI IRIX 6.5.2 f
  • SGI IRIX 6.5.2 m
  • SGI IRIX 6.5.3
  • SGI IRIX 6.5.3 f
  • SGI IRIX 6.5.3 m
  • SGI IRIX 6.5.4
  • SGI IRIX 6.5.4 f
  • SGI IRIX 6.5.4 m
  • SGI IRIX 6.5.5
  • SGI IRIX 6.5.5 f
  • SGI IRIX 6.5.5 m
  • Sun Solaris 2.5
  • Sun Solaris 2.5.1
  • Sun Solaris 2.5.1_x86
  • Sun Solaris 2.5_x86
  • Sun Solaris 2.6
  • Sun Solaris 2.6_x86
  • Sun SunOS 4.1.4
  • Washington University wu-ftpd 2.4.2 academ[BETA1-15]

References

  • BugTraq: 126
  • CERT: CA-1997-27
  • CVE: CVE-1999-0017
  • URL: http://www.cert.org/tech_tips/ftp_port_attacks.html

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out