As outlined in Chapter 4, FTP services bundled with the following operating platforms are vulnerable to bounce attacks in which port scans or malformed data can be sent to arbitrary locations via FTP:
FreeBSD 2.1.7 and earlier
HP-UX 10.10 and earlier
Solaris 2.6 / SunOS 5.6 and earlier
SunOS 4.1.4 and earlier
SCO OpenServer 5.0.4 and earlier
SCO UnixWare 2.1 and earlier
IBM AIX 4.3 and earlier
Caldera Linux 1.2 and earlier
Red Hat Linux 4.2 and earlier
Slackware 3.3 and earlier
Any Linux distribution running WU-FTPD 2.4.2-BETA-16 or earlier
If you know that an accessible FTP service is running on an internal network and is accessible through NAT, bounce attacks can be used to probe and attack other internal hosts, and even the server running the FTP service itself.
You can use the nmap port scanner in Unix and Windows environments to perform an FTP bounce port scan, using the -P0 and -b flags in the following manner:
nmap -P0 -b username:password@ftp-server:port <target host>
Example 8-5 shows an FTP bounce port scan being launched through the Internet-based 220.127.116.11 to scan an internal host at 192.168.0.5, a known address previously enumerated through DNS querying.
# nmap -P0 -b 18.104.22.168 192.168.0.5 -p21,22,23,25,80 Starting nmap 3.45 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.0.5): Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp closed telnet 25/tcp closed smtp 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds
If you can upload a binary file containing a crafted buffer overflow string to an FTP server that in turn is vulnerable to bounce attack, you can then send that information to a specific service port (either on the local host or other addresses). This concept is shown in Figure 8-2.
For this type of attack to be effective, an attacker needs to authenticate and log into the FTP server, locate a writeable directory, and test to see if the server is susceptible to FTP bounce attack. Solaris 2.6 is an excellent example because in its default state it is vulnerable to FTP bounce and RPC service overflow attacks. Binary exploit data isn't the only type of payload that can be bounced through a vulnerable FTP server: spammers have also sent unsolicited email this way.
Since 1995 when Hobbit released his first white paper on the issue of FTP abuse, a number of similar documents and approaches have been detailed. The CERT web site has a good description of the issue with background information, accessible at http://www.cert.org/tech_tips/ftp_port_attacks.html.