FTP Relay Problem

Impact

With vulnerable servers, a malicious user can create a connection between the FTP server and other systems on an arbitrary port. The connection could be used to bypass access control restrictions and enable an attacker to access ports on 'protected' networks.

Background

An FTP session consists of two connections between the client and the server. The high port server connection is enabled by the client that allows the FTP server to send data to the client. When the client wants to transfer data to or from the server, it issues a PORT command. The PORT command instructs the server to open a data connection which is used to transfer the data.

The PORT command is normally used only to open connections between the server and the client. However, the FTP protocol specifies that the PORT command may be used to open connections between the server and any other host. Therefore, the client can instruct the server to establish an FTP data connection with any host the server can access, even if the client does not have access to it.

The Problem

An outside attacker can use the FTP server to open connections which appear to originate from the server. This could be used to bypass the access control restrictions.

Resolution

Configure the FTP server not to allow connections to be established with any host other than the client. If your vendor's FTP server does not allow this feature to be disabled, and there is no patch available, consider installing the latest version of wu-ftpd, which does not have this problem.

Since the FTP protocol specifies that the PORT command may be used to establish a connection with any host, it is possible, though unlikely, that this solution could affect certain applications that use FTP.

Reference(s)

CVE Reference(s):