• Defend against FTP bounce attack

    From Karloch@1:103/705 to All on Mon Feb 15 01:16:03 2021
    Hi everyone,

    I frequently run security scans against my BBS and in the reports I have put my attention to a potential vulnerability using the FTP bounce attack (1). I have tried myself and it seems rather simple to exploit it. The steps are the following ones:

    1. Login to the FTP service of the BBS using telnet. For instance: telnet yourbbs.com 21
    2. Authenticate with "USER yourusername" and "PASS yourpassword". If you have Guest account enabled you can use anonymous username.
    3. Once authenticated, run the following command "EPRT |1|192.168.1.1|80|". You can change the IP address with the one you like and the 80 for the TCP port.
    4. If the server returns "200 PORT Command successful" then it means the remote destination accepts connections on that port.

    This allows a possible attacker to do a port scan, even behind our firewall, using this trick. Fixing it is fairly simple, the FTP server has just to deny the use of PORT/EPRT command with any IP address different to the source host. Maybe this behaviour could be controlled by some config option in sbbs.ini.

    Regards,
    Carlos

    (1) https://en.wikipedia.org/wiki/FTP_bounce_attack

    ---
    þ Synchronet þ HISPAMSX BBS - The 8-bit MSX computers BBS - 2:341/111@fidonet
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to Karloch on Mon Feb 15 14:23:25 2021
    Re: Defend against FTP bounce attack
    By: Karloch to All on Mon Feb 15 2021 01:16 am

    Hi everyone,

    I frequently run security scans against my BBS and in the reports I have put my attention to a potential vulnerability using the FTP bounce attack (1).

    Thanks for the head's up. The Synchronet FTP server has (since 2001) rejected FTP-Bounces to reserved/system TCP ports (< 1024), so I'm not sure how "vulnerable" it really was, but in any case, I've committed a change to disallow FTP Bounces to *any* TCP port on a 3rd party IP address, by default.
    --
    digital man

    This Is Spinal Tap quote #15:
    Review on "Shark Sandwich", merely a two word review: "Shit Sandwich".
    Norco, CA WX: 59.8øF, 57.0% humidity, 0 mph W wind, 0.00 inches rain/24hrs
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Karloch@1:103/705 to Digital Man on Wed Feb 17 23:07:01 2021
    Re: Defend against FTP bounce attack
    By: Digital Man to Karloch on Mon Feb 15 2021 14:23:25

    Hi DigitalMan,

    Thanks for the head's up. The Synchronet FTP server has (since 2001) rejected FTP-Bounces to reserved/system TCP ports (< 1024), so I'm not sure how "vulnerable" it really was, but in any case, I've committed a change to

    Indeed, I put the wrong example in my previous message, my tests were using ports >1024. I don't think it was anything to worry about, as a possible attacker can only use it to do a port scan, but not actually access anything. Qualys security scanner qualify this as "potential" in color "yellow". Usually actual serious vulnerabilities are marked "red".

    disallow FTP Bounces to *any* TCP port on a 3rd party IP address, by default. --

    Just upgraded the Synchronet version to the latest commit and did both, Qualys security scanner and manual test myself and indeed, Synchronet FTP server is not allowing them anymore. I also tried to connect to the FTP using active mode and it works as expected, so I didn't experienced any impact after the patch.

    Superb work! Thank you for taking care of it so swiftly.

    Regards,
    Carlos

    ---
    þ Synchronet þ HISPAMSX BBS - The 8-bit MSX computers BBS - 2:341/111@fidonet
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)