Why do your own port scanning…

Mar 04 2007
Filed In: exploitation, vulnerabilities

…when others’ web browsers will happily do it for you! Attackers are thinking that very thing right now. A great paper was just posted to Full-Disclosure by mark@bindshell.net :

Manipulating FTP Clients Using The PASV Command

Note that by “FTP Clients”, mark is not talking about things like ws_ftp and the like. He’s talking about web browsers, which will happily talk many protocols, including FTP. Specifically vulnerable, in this case, is Firefox. A crashing bug seems to keep Konquerer from being able to perform banner-grabbing in an attack like this, and Opera also limits the convenience of this exploit by warning when usernames are passed in a URL. Looks like it works like a dream in Firefox though!

The basic idea is that, in PASV mode, an FTP server notifies the client what port to listen on for the results of a command with a comma delimited list of numbers that encodes a host and port. A malicious FTP server can provide an arbitrary IP address and port in this notification, and by using a web browser’s JavaScript capabilities, a script can be written to connect to the malicious FTP server, and, in turn, have it connect to a third-party host on a specific IP address to see if it is open. This could be leveraged as part of a web site an attacker has control of (by ownership or by cross-site scripting), forcing the visitors of the site to perform scans on behalf of the attacker. The third-party being scanned would only see the innocent visitors in their logs.

The paper has good detail and is easy to read. Mitigation techniques are specified for developers of FTP clients (specifically web browsers). Web browser users should be careful about what sites they allow to execute scripts (Firefox users give the NoScript add-on a try). To keep your site from being the host for this, the usual precautions against cross-site scripting applies (for starters, heavily filtering input).

Pretty soon, I’d like to set up a test environment for this attack and see how it looks if you’re being scanned by web browsers like this. I’ll report my results.

Back to Top
Tags:

There are 1 Comments to "Why do your own port scanning…"

Write a Comment