Tutorial - FTP Bounce Vulnerability
FTP Relay Problem
Impact
With vulnerable servers, a malicious user can create a connection
between the FTP server and other systems on an arbitrary port.
The connection could be used to bypass access control restrictions
and enable an attacker to access ports on 'protected' networks.
Background
An FTP session consists of two connections between the client
and the server. The high port server connection is enabled by
the client that allows the FTP server to send data to the client.
When the client wants to transfer data to or from the server,
it issues a PORT command. The PORT
command instructs the server to open a data connection which
is used to transfer the data.
The PORT command is normally used only to open
connections between the server and the client. However, the FTP protocol
specifies that the PORT command may be used to open
connections between the server and any other host. Therefore, the client
can instruct the server to establish an FTP data connection
with any host the server can access, even if the client does not have
access to it.
The Problem
An outside attacker can use the FTP server to
open connections which appear to originate from
the server. This could be used to bypass the access control
restrictions.
Resolution
Configure the FTP server not to allow connections to be established with
any host other than the client.
If your vendor's FTP server does not allow this feature to be disabled,
and there is no patch available, consider installing the latest
version of