Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: ciaci018.txt

FTP Bounce Vulnerability


                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                            FTP Bounce Vulnerability

May 6, 1998 23:00 GMT                                           Number I-018a
PROBLEM:       The problem is based on the misuse of the PORT command in the
               FTP protocol.
PLATFORMS:     Cray Research - Unicos and Unicos/mk
               DIGITAL UNIX V3.2g, V4.0, V4.0a, V4.0b, V4.0c.
               FreeBSD 2.1.7 and earlier, 2.2.0 and later if allow -R option
               HP-UX - -9.X and 10.X, on HP 9000 series 300/400s and 700/800s
               IBM AIX - all ftp servers
               MadGoat - fixed in MGFTP V2.2-2
               NCR Corporation -  later than
               NetBSD - 1.2.1 , no patches
               OpenBSD - prior to OpenBSD 2.1
               SCO - OpenServer 5.0.4
                     UnixWare 2.1
                     ODT 3.0
               Siemens-Nixdorf - ReliantUNIX
               Sun Microsystems - SunOS 4.1.x and 5.x
DAMAGE:        An attacker may be able to establish a connection between the
               FTP server machine and an arbitrary port on another system.
SOLUTION:      Apply patches or workaround.
VULNERABILITY  It is recommended that you install a comprehensive patch if one
ASSESSMENT:    is available or use the wu-ftpd package identified in Section

[ Append on May 6, 1998 with additional patch information from Digital ]

[ Start CERT Advisory ]

CERT* Advisory CA-97.27
Original issue date: Dec. 10, 1997
Last revised: December 16, 1997 - Vendor updates for Sun Microsystems, Inc.

              A complete revision history is at the end of this file.

Topic: FTP Bounce
- -----------------------------------------------------------------------------

In some implementations of FTP daemons, the PORT command can be misused to
open a connection to a port of the attacker's choosing on a machine that the
attacker could not have accessed directly. There have been ongoing discussions
about this problem (called "FTP bounce") for several years, and some vendors
have developed solutions for this problem.

The CERT/CC staff urges you to install a comprehensive patch if one is
available. Until then, we recommend the wu-ftpd package identified in Section
III.B. as a workaround.

We will update this advisory as we receive additional information. Please
check our advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     In the past few years there have been ongoing discussions about a
     problem known as "FTP bounce." In its simplest terms, the problem is
     based on the misuse of the PORT command in the FTP protocol.

     To understand the FTP bounce attack, please see the tech tip at

     The core component of the problem is that by using the PORT command in
     active FTP mode, an attacker may be able to establish connections to
     arbitrary ports on machines other than the originating client. This
     behavior is RFC compliant, but it is also potentially a source of
     security problems for some sites. The example attacks described in the
     tech tip demonstrate the potential of this vulnerability.

II.  Impact

     An attacker may be able to establish a connection between the FTP server
     machine and an arbitrary port on another system. This connection may be
     used to bypass access controls that would otherwise apply.

III. Solution

     Because the core element of the attack (the FTP server can establish
     connections to arbitrary machines and arbitrary ports) is also a required
     component for RFC compliance, there is no clear-cut solution. With this
     in mind, we urge you to carefully consider the type of service that your
     site offers.

     The best solution solely from a security perspective is to ensure that
     your FTP server software cannot establish connections to arbitrary
     machines. However, sites that rely on the RFC-compliant behavior may
     find that implementing this solution will affect applications that they
     use. (We have not received any first-hand reports of such cases.)
     Consequently, many vendors offer solutions that allow sites offering the
     FTP service to make the choice that best suits them. You should check to
     see what type of behavior your vendor's FTP daemon adopts (Section A).

     If you wish to implement an FTP service that does not allow this attack
     and your vendor does not offer a daemon with this functionality, consider
     using the wu-ftpd package described in Section B. Other steps you can
     take are described in Section C.

     A.  Vendor Information

         It is our experience that vendor implementations fall into one of
         these groups:

         (1) strict conformance with RFC functionality: The PORT command
             may be used to connect directly to a third-party machine, and
             this is the only functionality allowed. Some vendors who
             choose to maintain strict conformance have addressed this
             problem by modifying all other network services to reject
             connections originating from the FTP data port (port 20).

         (2) strict suppression of the PORT command: The PORT command may
             be used to connect to the originating client, and this is the
             only functionality allowed.

         (3) variable PORT command behavior: The PORT command may be used
             in either of the above two ways, with one way being the
             default. Switching between them is usually achieved with a
             command line parameter. You should be careful to verify which
             is the default.

         Appendix A contains a list of vendors who have provided
         information about this problem. We will update the appendix as we
         receive more information. If you do not see your vendor's name,
         the CERT/CC did not hear from that vendor. Please contact your
         vendor directly.

     B.  Use the wu-ftpd package as a workaround.

         The wu-ftpd package addresses the FTP bounce problem by ensuring that
         the PORT command cannot be used to establish connections to machines
         other than the originating client. Please read the wu-ftpd README
         file "FIXES-2.4-HOBBIT" before installing the package.

         The latest version of wu-ftpd, which we recommend, is available from


         DFN-CERT mirrors this software at


         MD5 (wu-ftpd-2.4.2-beta-15.tar.Z) = 6c8172b83ab2545a5b91a9aba4840630

         If you use a previous version (whether a beta version or full
         release), do not assume that your site is immune from these problems
         or other problems discussed in previous advisories.

     C.  FTP Configuration

         Some attacks rely on an intermediate file being uploaded to one or
         more server machines via (usually anonymous) FTP. This file is
         used in a later phase of the attack.

         Your site should offer anonymous upload facilities only if it is
         absolutely necessary. Even then, you must carefully configure the
         incoming area. For further details, see "Anonymous FTP Configuration
         Guidelines" at


         Note that these steps only repel attacks that rely on intermediate
         uploads. The steps are not effective against other attacks.

         If your site allows file uploads, we urge your to ensure that the
         FTP service restricts the PORT command so that it can only be used
         to connect to the originating client.


Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.

Caldera, Inc.
- - -------------

 Caldera OpenLinux(tm) 1.2 ships with wu-ftpd-2.4.2 beta 15.  For those
        with earlier versions of wu-ftpd, updates to this package can be
        obtained from:


        Other Caldera security resources are located at:


Cray Research - A Silicon Graphics Company
- - ------------------------------------------

   The ftpd supplied with Unicos and Unicos/mk is currently in category 1.
   We are working to make it category 3.

- - -----------------------------

   DIGITAL UNIX V3.2c thru V3.2g
   DIGITAL UNIX V4.0 thru V4.0c

   At the time of writing this document, patches(binary kits) are in
   progress and final testing has been completed. Distribution of the
   fix for this problem is expected to begin soon (BL9 and possibly
   as early release patches).  Digital will provide notice of the
   completion/availibility of the patches through AES services (DIA,
   DSNlink) the DIGITAL Patch Service WEB site, and be available from
   your normal Digital Support channel.

                   DIGITAL EQUIPMENT CORPORATION    12/97
                   -----------------------------   ------

The FreeBSD Project
- - -------------------

   FreeBSD 2.2.0 and all later releases do not allow the FTP bounce attack
   (unless explicitly allowed by the -R option). FreeBSD 2.1.7 and earlier
   releases can be abused by the bounce attack.

Hewlett-Packard Company
- - -----------------------

   This problem is addressed HP Security Bulletin 028. This bulletin can
   be found at one of these URLs:
       (for US, Canada, Asia-Pacific, & Latin-America)
       (for Europe)

   Current patches for SB#28 as of 11/5/97 from security patch matrix

   Security Bulletin 028: Security Vulnerability in FTP

                 Current                             Original
           --------------------                --------------------
           s300  8.00: None                    s300  8.00: None
           s300  9.00: PHNE_6146               s300  9.00: PHNE_6146
           s300  9.03: PHNE_6146               s300  9.03: PHNE_6146
           s300  9.10: PHNE_6146               s300  9.10: PHNE_6146
           s700  8.05: None                    s700  8.05: None
           s700  8.07: None                    s700  8.07: None
           s700  9.01: PHNE_10008              s700  9.01: PHNE_6013
           s700  9.03: PHNE_10008              s700  9.03: PHNE_6013
           s700  9.05: PHNE_10008              s700  9.05: PHNE_6013
           s700  9.07: PHNE_10008              s700  9.07: PHNE_6013
           s700  9.09: PHNE_6169               s700  9.09: PHNE_6169
                       PHNE_6170                           PHNE_6170
           s700 10.00: PHNE_10009              s700 10.00: PHNE_6014
           s700 10.01: PHNE_10009              s700 10.01: PHNE_6014
           s700 10.09: PHNE_5965               s700 10.09: PHNE_5965
           s700 10.10: PHNE_10009              s700 10.10: None
           s700 10.16: None                    s700 10.16: None
           s700 10.20: None                    s700 10.20: None
           s700 10.24: None                    s700 10.24: None
           s700 10.30: None                    s700 10.30: None
           s800  8.00: None                    s800  8.00: None
           s800  8.02: None                    s800  8.02: None
           s800  8.06: None                    s800  8.06: None
           s800  9.00: PHNE_10008              s800  9.00: PHNE_6013
           s800  9.04: PHNE_10008              s800  9.04: PHNE_6013
           s800  9.08: PHNE_6171               s800  9.08: PHNE_6171
           s800 10.00: PHNE_10009              s800 10.00: PHNE_6014
           s800 10.01: PHNE_10009              s800 10.01: PHNE_6014
           s800 10.09: None                    s800 10.09: None
           s800 10.10: PHNE_10009              s800 10.10: None
           s800 10.16: None                    s800 10.16: None
           s800 10.20: None                    s800 10.20: None
           s800 10.24: None                    s800 10.24: None
           s800 10.30: None                    s800 10.30: None

   Accessing the HP ESC
   Hewlett Packard's HP-UX patches/Security Bulletins/Security
   patches are available via email and/or WWW (via the browser
   of your choice) on HP Supportline (HPSL).
   To subscribe to automatically receive future NEW HP Security Bulletins from
   the HP SupportLine Digest service via electronic mail, do the following:

   1)  From your Web browser, access the URL:
         and Latin-America)

      Login with your user ID and password, or register for one (remember
      to save the User ID assigned to you, and your password). Once you are
      on the Main Menu, Click on the Technical Knowledge Database, and it
      will connect to a HP Search Technical Knowledge DB page. Near the
      bottom is a hyperlink to our Security Bulletin archive. Once in the
      archive there is another  link to our current security patch matrix.
      Updated daily, this matrix is categorized by platform/OS release,
      and by bulletin topic.

IBM Corporation
- - ---------------

   All AIX ftp servers are vulnerable to the FTP bounce attack. The
   following fixes are in progress:

     AIX 3.2:  upgrade to v4
     AIX 4.1:  IX73075
     AIX 4.2:  IX73076
     AIX 4.3:  IX73077

   To Order
    APARs may be ordered using Electronic Fix Distribution (via FixDist)
    or from the IBM Support Center. For more information on FixDist,
    reference URL:

    or send e-mail to with a subject of "FixDist".

- - -------

   This problem is fixed in MGFTP V2.2-2, which was released several months
   ago. That version restricts the port numbers to ports above 1024.
   However, it does not block access to third-party machines. V2.2-4,
   scheduled for release next week, will do that as well.

Microsoft Corporation
- - ---------------------

   We prevent this attack by disallowing "third party" transfers. This is
   done via a modification to our implementation of the PORT command. When
   the FTP server receives a PORT command, the specified IP address *must*
   match the client's source IP address for the control channel.

   In other words, then the client sends a PORT command to the FTP server,
   giving the server an IP address & port number to connect back to the
   client for the data transfer, the IP address *must* be the client's
   original IP address.

   We have one other fix in which we disallow the PORT command from
   specifying reserved ports (those less than 1024) except port 20 (the
   default data port). By default, any client attempt to issue a port
   command with (port < 1024 && port != 20) will cause the PORT command to
   fail. This check can be disabled setting the EnablePortAttack registry

NEC Corporation
- - ---------------

   Several NEC Unix systems have proven vulnerable.  Work is currently
   underway to identify all affected systems.  Patches are forthcoming.

NCR Corporation
- - ---------------

   NCR is delivering a set of operating system dependent patches which
   contain an update for this problem. Accompanying each patch is a
   README file which discusses the general purpose of the patch and
   describes how to apply it to your system.

   Recommended solution: Apply one of the following patches depending on
   the revision of the inet package installed on your system. To check its
   version execute:

        pkginfo -x inet

   For inet 5.01.xx.xx: - PINET501 (Version later than
   For inet 6.01.xx.xx: - PINET601 (Version later than
   For inet 6.02.xx.xx: - PINET602 (Version later than

   After installation of the respective patch, the default behavior will be
   to protect from this vulnerability.. A new ftpd man-page describe how to
   enable the old RFC compliant behavior.

The NetBSD Project
- - ------------------

   There are no patches for NetBSD 1.2.1 or prior, however the ftpd
   sources available from:
   should work on a NetBSD 1.2.1 machine.

The OpenBSD project
- - -------------------

   FTP bounce can be fixed in the operating system by fixing all vulnerable
   services by checking for connections from port 20. Since this has been
   done in OpenBSD, OpenBSD is not vulnerable and does NOT NEED the
   variable port command. The solution applies since OpenBSD 2.1 (ie. it
   applies for both 2.1 and for 2.2).

Red Hat Software
- - ----------------

   We ship wu-ftpd, so this isn't a problem for us.

The Santa Cruz Operation, Inc.
- - ------------------------------

   SCO has determined that the following Operating systems are vulnerable
   to the ftp-bounce attack :-

           OpenServer 5.0.4
           UnixWare   2.1
           ODT        3.0

   We are currently working on a fix to this problem.

Siemens-Nixdorf Informationssysteme AG
- - --------------------------------------

   ReliantUNIX is vulnerable.
   The problem has been corrected in the current sources.
   Patches will be developed (as necessary) and made available via your
   Siemens-Nixdorf customers service.

Sun Microsystems, Inc.
- - ----------------------

   Sun's FTP server software in SunOS 4.1.x and 5.x allow PORT requests
   to make data connections to arbitrary hosts. Prior to SunOS 5.6, Sun's
   FTP server software also allows data connections to arbitrary ports.

   In SunOS 5.6, the FTP server software does not accept PORT requests to make
   data connections to well-known (privileged) ports. Sun has also released
   the following patches that prevent Sun's FTP server software from accepting
   PORT requests to make data connections to well-known ports for the
   following SunOS releases:

        103603-05 SunOS 5.5.1
        103604-05 SunOS 5.5.1_x86
        103577-06 SunOS 5.5
        103578-06 SunOS 5.5_x86
        101945-51 SunOS 5.4
        101946-45 SunOS 5.4_x86
        104938-01 SunOS 5.3
        104477-03 SunOS 4.1.4
        104454-03 SunOS 4.1.3_U1

   Sun recommends that sites that do not require their FTP server make
   connections to arbitrary hosts consider using wu-ftpd as a workaround.

- - ----------------------------------------------------------------------------
- -

The CERT Coordination Center thanks AUSCERT and DFN-CERT for helping
develop this advisory. We also thank Steve Bellovin and the vendors who
offered valuable comments on the problem and solutions: BSDI, Hewlett-Packard,
Livingston, NetBSD, OpenBSD, Sun Microsystems.

- - ----------------------------------------------------------------------------
- -

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see

CERT/CC Contact Information
- - ----------------------------

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key

Getting security information
   CERT publications and other security information are available from

   CERT advisories and bulletins are also posted on the USENET newsgroup

   To be added to our mailing list for advisories and bulletins, send
   email to
   In the subject line, type
        SUBSCRIBE  your-email-address

- - ---------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in and .
If you do not have FTP or web access, send mail to with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- - ---------------------------------------------------------------------------

This file:
               click on "CERT Advisories"

Revision history

Dec. 16, 1997 Vendor updates for Sun Microsystems, Inc.
Dec. 11, 1997 Vendor updates for Caldera, Digital Equipment
              Corporation, NEC Corporation.

Version: 2.6.2

 [ End CERT Advisory ]
[ Append Digital Advisory ]

UPDATE:                                         APR  30,  1998

  TITLE: DIGITAL UNIX  ftpd  V3.2g, V4.0, V4.0a, V4.0b, V4.0c
         - Potential Security Vulnerability
	ref#: SSRT0452U   ftpd (ftp bounce)
  SOURCE: Digital Equipment Corporation
          Software Security Response Team 

 "Digital is broadly distributing this Security Advisory in order
 to bring to the attention of users of Digital's products the
 important security information contained in this Advisory. 
 Digital recommends that all users determine the applicability of
 this information to their individual situations and take
 appropriate action.

 Digital does not warrant that this information is necessarily
 accurate or complete for all user situations and, consequently,
 Digital will not be responsible for any damages resulting from
 user's use or disregard of the information provided in this

  Digital has discovered a potential vulnerability with the 
  FTP (bounce) for DIGITAL UNIX  software, where under certain 
  circumstances, an user may gain unauthorized privileges. 

  Digital strongly recommends upgrading to a minimum of
  Digital UNIX V4.0b accordingly, and that the appropriate
  patch kit be installed immediately.

 This potential security problem has been resolved and an official
 patch for this problem has been made available as an early release
 kit for DIGITAL UNIX V4.0a (duv40ass0000600041100-19980317.*)
 and, included in the latest DIGITAL UNIX V4.0b aggregate DUPATCH Kit. 
	 The V3.2g aggregate BL 10 patch kit #5 
	 is scheduled for release in late June 1998.
	 The V4.0 aggregate  BL 9 patch kit #6 
	 is scheduled for release mid May 1998.
	 The V4.0c aggregate BL10 patch kit #6 
	 is scheduled for release mid May 1998.

 *This potential problem was included in the distributed release of 

  o the World Wide Web at the following FTP address:
    Use the FTP access option, select DIGITAL_UNIX directory
    then choose the appropriate version directory 
    and download the patch accordingly.

  Note: [1]The appropriate patch kit must be installed
  	following any upgrade to V4.0a, V4.0b, or V4.0c.
        [2] Please review the appropriate release notes
        prior to installation.
 If you need further information, please contact your normal DIGITAL
 support channel.

 DIGITAL appreciates your cooperation and patience. We regret any
 inconvenience applying this information may cause.

 As always, Digital urges you to periodically review your system
 management and security procedures. 

  Digital will continue to review and enhance the security
  features of its products and work with customers to maintain and
  improve the security and integrity of their systems.

  Copyright (c) Digital Equipment Corporation, 1998 All
  Rights Reserved.
  Unpublished Rights Reserved Under The Copyright Laws Of
  The United States.

[ End Digital Advisory ]

CIAC wishes to acknowledge the contributions of CERT for the information
contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:
   Anonymous FTP: (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to or
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-008: Open Group OSF/DCE Denial-of-Service Vulnerability
i-009: IBM AIX libDtSvc.a Buffer Overflow Vulnerability
I-010: HP-UX CDE Vulnerability
I-011: IBM AIX portmir command Vulnerability
I-012: IBM AIX ftp client Vulnerability
I-013: Count.cgi Buffer Overrun Vulnerabiliity
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
I-016: SCO  /usr/bin/X11/scoterm Vulnerability
I-017: statd Buffer Overrun Vulnerability

Version: 4.0 Business Edition


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH