Wed, 12 Jul 1995 02:20:20 -0400
The FTP Bounce Attack
Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
This discusses one of many possible uses of the "FTP server bounce attack".
The mechanism used is probably well-known, but to date interest in detailing
or fixing it seems low to nonexistent.
This particular example demonstrates
yet another way in which most electronically enforced "export restrictions" are
completely useless and trivial to bypass.
It is chosen in an effort to make
the reader sit up and notice that there are some really ill-conceived aspects
of the standard FTP protocol.
Thanks also to Alain Knaff at imag.fr for a brief but entertaining discussion
of some of these issues a couple of months ago which got me thinking more
deeply about them.
You are a user on foreign.fr, IP address F.F.F.F, and want to retrieve
cryptographic source code from crypto.com in the US.
The FTP server at
crypto.com is set up to allow your connection, but deny access to the crypto
sources because your source IP address is that of a non-US site [as near as
their FTP server can determine from the DNS, that is].
In any case, you
cannot directly retrieve what you want from crypto.com's server.
However, crypto.com will allow ufred.edu to download crypto sources because
ufred.edu is in the US too.
You happen to know that /incoming on ufred.edu
is a world-writeable directory that any anonymous user can drop files into and
read them back from.
Crypto.com's IP address is C.C.C.C.
This assumes you have an FTP server that does passive mode.
Open an FTP
connection to your own machine's real IP address [not localhost] and log in.
Change to a convenient directory that you have write access to, and then do:
quote "stor foobar"
Take note of the address and port that are returned from the PASV command,
This FTP session will now hang, so background it or flip to
another window or something to proceed with the rest of this.
Construct a file containing FTP server commands.
Let's call this file
It will look like this:
F,F,F,F,X,X is the same address and port that your own machine handed you