{"vuid":"VU#2558","idnumber":"2558","name":"File Transfer Protocol allows data connection hijacking via PASV mode race condition","keywords":["PASV","wu-ftpd","tcp","ftp"],"overview":"There is a vulnerability in the File Transfer Protocol (FTP) that allows an attacker to hijack FTP data connections when the client connects using passive mode (PASV).","clean_desc":"In FTP PASV mode, the client makes a control connection to the FTP server (typically port 21/tcp) and requests a PASV data connection. The server responds by listening for client connections on a specified port number, which is supplied to the client via the control connection. If an attacker can make a connection to the listening port before the client connects, the server will transmit the data to the attacker instead of the client. To exploit this vulnerability, the attacker must intercept or guess the port number that the server will use, then make its connection attempt before the client establishes a data connection. If the server chooses port numbers using an easily identifiable pattern (such as incrementally), this vulnerability is trivial to exploit. Note that this vulnerability was first discovered in February 1999, so it is likely that many FTP servers have been patched to address this issue.","impact":"Remote intruders can hijack data requested by a legitimate user. It may also be possible to insert data on to an FTP server if the server is acting in a peering (mirroring) relationship with another server.","resolution":"Apply a patch from your vendor Please see the vendor section of this document for information on obtaining patches.","workarounds":"Reject data connections from hosts that do not match the control connection host One possible mitigation strategy is to reject data connections that do not originate from the same IP address as the control connection, but this has several problems. First, it makes the server not strictly compliant with RFC 959. Second, it can be defeated by an attacker on the same machine (or network, if spoofed IP addresses are used). Use randomly selected PASV ports to decrease likelihood of interception If the server chooses the PASV listening port randomly, it will be difficult or impossible for an attacker to determine the data port. Note that this will not protect against attackers who are able to intercept the FTP control connection because the FTP server must supply the PASV listening port to the client.","sysaffected":"","thanks":"The CERT/CC thanks Gregory A Lundberg and Jeffrey R. Gerber for their detailed explanations of this vulnerability.","author":"This document was written by Jeffrey P. Lanza and Jed M Pickel.","public":["ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/ANNOUNCE-2.4.2-beta-18-vr14","http://www.cert.org/tech_tips/ftp_port_attacks.html","http://www.ietf.org/rfc/rfc959.txt","http://www.infowar.com/iwftp/iw_sec/iw_sec_01.txt","http://www.securityfocus.com/bid/4895","http://online.securityfocus.com/bid/5461"],"cveids":["CVE-1999-0351"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"1999-02-17T18:19:28Z","publicdate":"1999-02-01T00:00:00Z","datefirstpublished":"2002-04-29T19:53:37Z","dateupdated":"2003-03-26T22:09:12Z","revision":31,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"11","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"8","cam_easeofexploitation":"10","cam_attackeraccessrequired":"20","cam_scorecurrent":"13.95","cam_scorecurrentwidelyknown":"16.2","cam_scorecurrentwidelyknownexploited":"20.25","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":13.95,"vulnote":null}