Article delegate-en/4897 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4896@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: FTP port bounce prevention
05 Sep 2010 02:23:06 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4896@delegate-en.ML_> on 09/05/10(00:13:52) I wrote:
 |Hi Jake,
 |
 |In message <_A4895@delegate-en.ML_> on 09/01/10(08:25:44)
 |you Jacob Lundberg <pdeiqbdyi-qjyh54kgstxr.ml@ml.delegate.org> wrote:
 | |One of the ways people try to prevent ftp port bounce attacks and
 | |probing is to require in the FTP server that the PORT command must
 | |specify the same IP as the originator of the control channel.  Is this
 | |possible with DeleGate?  From the documentation, it seems like DeleGate
 | |only supports turning the PORT command off entirely.
 |
 |Even if PORT is turned off, clients can establish active connections
 |by using EPRT as "EPRT |1|10.20.30.40|12345|" for example.
 |
 | |Either of these two things would work while still allowing PORT commands:
 | |
 | |1) An option to ignore the IP given in a PORT command and silently use
 | |the same IP as the control channel.
 | |
 | |2) An option to reject the PORT command if the IP address is not the
 | |same as the one in the control channel.
 | |
 | |Both of these options would be non-RFC-compliant behavior, but several
 | |security audit standards are requiring something of this sort.
 |
 |Thank you for your description of the problem.  Maybe I should follow
 |the following documents in CERT about "FTP Bounce."
 |  <URL:http://www.cert.org/advisories/CA-1997-27.html>
 |  <URL:http://www.cert.org/tech_tips/ftp_port_attacks.html>
 |
 |>From version 9.9.8-pre13, DeleGate acts as your 2) by default.   
 |It can behave as 1) with an option FTPCONF="bounce:cb"
 |
 |  ---- Manual.htm#ftp-bounce ----
 |  bounce:{no|do|th|cb|rl}
 |    -- default: FTPCONF=bounce:no 
 |    controls how to manipulate FTP Bounce.
 |    no -- reject any FTP Bounce 
 |    do -- permit any FTP Bounce 
 |    th -- don't care FTP Bounce (backward compatible) 
 |    cb -- convert FTP Bounce to "EPRT |||port|" 
 |    rl -- reject FTP Bounce by REJECT="ftp-bounce:*:clientHost" 
 |  doepsv:sv
 |    use EPSV (instead of PASV) with FTP servers
 |  doeprt:sv
 |    use EPRT (instead of PORT) with FTP servers
 |  -------------------------------

The modification in 9.9.8-pre13 for all of the above extensions is
a little large.  The enclosed one is just for rejecting FTP Bounce
without configurations.

Cheers,
Yutaka
--
  9 9   Yutaka Sato, CSDP <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** delegate9.9.8-pre12/src/ftp.c	Sun Jun 13 21:03:52 2010
--- ./src/ftp.c	Sun Sep  5 11:13:38 2010
***************
*** 6035,6040 ****
--- 6035,6086 ----
  		return -1;
  	}
  }
+ 
+ int getsockVSAddr(int sock,VSAddr *vsa);
+ int getpeerVSAddr(int sock,VSAddr *vsa);
+ /*
+  * FTP bounce control
+  * http://www.cert.org/advisories/CA-1997-27.html
+  */
+ static int checkPORTdst(Connection *Conn,FtpStat *FS,PVStr(parg),PVStr(resp)){
+ 	VSAddr peer;
+ 	VSAddr sock;
+ 	VSAddr zero;
+ 	VSAddr port;
+ 	IStr(speer,128);
+ 	IStr(ssock,128);
+ 	IStr(szero,128);
+ 	IStr(sport,128);
+ 
+ 	getpeerVSAddr(ClientSock,&peer);
+ 	getsockVSAddr(ClientSock,&sock);
+ 	VSA_ftptosa(&zero,"255,255,255,255,0,0");
+ 	VSA_ftptosa(&port,"255,255,255,255,0,0");
+ 	VSA_ftptosa(&port,parg);
+ 
+ 	sprintf(speer,"%s:%d",VSA_ntoa(&peer),VSA_port(&peer));
+ 	sprintf(ssock,"%s:%d",VSA_ntoa(&sock),VSA_port(&sock));
+ 	sprintf(sport,"%s:%d",VSA_ntoa(&port),VSA_port(&port));
+ 	Verbose("--port {%s %s}{%s} <= {%s}{%s}[%d]\n",
+ 		FS->fs_curcom,parg,sport,speer,ssock,ClientSock);
+ 
+ 	if( VSA_port(&port) == 0 ){
+ 		if( FS->fs_XDCforCL ){
+ 			return 0;
+ 		}
+ 		sprintf(resp,"500 invalid address/port\r\n");
+ 		return -2;
+ 	}
+ 	if( VSA_addrcomp(&port,&zero) == 0 && parg[0] == '|' ){
+ 		return 0; /* empty address, EPSV |||xxxx|  */
+ 	}
+ 	if( VSA_addrcomp(&port,&peer) == 0 ){
+ 		return 0; /* matched with client's address */
+ 	}
+ 	sv1log("--PORT {%s %s}{%s} <= {%s}\n",FS->fs_curcom,parg,sport,speer);
+ 	sprintf(resp,"500 forbidden address\r\n");
+ 	return -3;
+ }
  static int setupPORT(Connection *Conn,FtpStat *FS,FILE *ts,FILE *fs,FILE *tc,PCStr(arg))
  {	CStr(resp,2048);
  	VSAddr vaddr;
***************
*** 6044,6049 ****
--- 6090,6098 ----
  	if( FCF.fc_noportCL ){
  		sprintf(resp,"500 PORT is disabled.\r\n");
  	}else
+ 	if( checkPORTdst(Conn,FS,AVStr(FS->fs_dport),AVStr(resp)) != 0 ){
+ 		/* 9.9.8 forbidden PORT/EPRT address */
+ 	}else
  	if( ts == NULL ){
  		if( FCF.fc_immportCL && setupPORTi(Conn,FS,tc,AVStr(resp)) ){
  			sv1log("#### %s",resp);

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V